Update changes file

Merge pull request #510 from sshuttle/dependabot/pip/attrs-20.1.0
Bump attrs from 19.3.0 to 20.1.0
2025-07-04 16:50:34 +02:00 · 2020-08-24 08:00:36 +10:00 · 2020-08-21 16:42:05 +10:00 · 2020-08-21 06:37:11 +00:00 · 2020-08-18 07:46:59 +10:00 · 2020-08-17 19:00:50 +10:00
51 changed files with 1851 additions and 783 deletions
--- a/.github/workflows/pythonpackage.yml
+++ b/.github/workflows/pythonpackage.yml
@ -0,0 +1,35 @@
 # This workflow will install Python dependencies, run tests and lint with a variety of Python versions
 # For more information see: https://help.github.com/actions/language-and-framework-guides/using-python-with-github-actions
 name: Python package
 on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]
 jobs:
  build:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: [3.5, 3.6, 3.7, 3.8]
    steps:
    - uses: actions/checkout@v2
    - name: Set up Python ${{ matrix.python-version }}
      uses: actions/setup-python@v2
      with:
        python-version: ${{ matrix.python-version }}
    - name: Install dependencies
      run: |
        python -m pip install --upgrade pip
        pip install -r requirements-tests.txt
    - name: Lint with flake8
      run: |
        flake8 sshuttle tests --count --show-source --statistics
    - name: Test with pytest
      run: |
        PYTHONPATH=$PWD pytest
--- a/.gitignore
+++ b/.gitignore
@ -13,3 +13,5 @@
 /.do_built
 /.do_built.dir
 /.redo
 /.pytest_cache/
 /.python-version
--- a/.prospector.yml
+++ b/.prospector.yml
@ -0,0 +1,24 @@
 strictness: medium
 pylint:
  disable:
    - too-many-statements
    - too-many-locals
    - too-many-function-args
    - too-many-arguments
    - too-many-branches
    - bare-except
    - protected-access
    - no-else-return
    - unused-argument
    - method-hidden
    - arguments-differ
    - wrong-import-position
    - raising-bad-type
 pep8:
  options:
    max-line-length: 79
 mccabe:
  run: false
--- a/.travis.yml
+++ b/.travis.yml
@ -1,13 +0,0 @@
 language: python
 python:
 - 2.6
 - 2.7
 - 3.4
 - 3.5
 - pypy
 install:
    - travis_retry pip install -q pytest mock
 script:
  - PYTHONPATH=. py.test
--- a/CHANGES.rst
+++ b/CHANGES.rst
@ -9,6 +9,173 @@ adheres to `Semantic Versioning`_.
 .. _`Semantic Versioning`: http://semver.org/
 1.0.3 - 2020-08-24
 ------------------
 Fixed
 ~~~~~
 * Allow Mux() flush/fill to work with python < 3.5
 * Fix parse_hostport to always return string for host.
 * Require -r/--remote parameter.
 * Add missing package in OpenWRT documentation.
 * Fix doc about --listen option.
 * README: add Ubuntu.
 * Increase IP4 ttl to 63 hops instead of 42.
 * Fix formatting in installation.rst
 1.0.3 - 2020-07-12
 ------------------
 Fixed
 ~~~~~
 * Ask setuptools to require Python 3.5 and above.
 * Add missing import.
 * Fix formatting typos in usage docs
 1.0.2 - 2020-06-18
 ------------------
 Fixed
 ~~~~~
 * Leave use of default port to ssh command.
 * Remove unwanted references to Python 2.7 in docs.
 * Replace usage of deprecated imp.
 * Fix connection with @ sign in username.
 1.0.1 - 2020-06-05
 ------------------
 Fixed
 ~~~~~
 * Errors in python long_documentation.
 1.0.0 - 2020-06-05
 ------------------
 Added
 ~~~~~
 * Python 3.8 support.
 * sshpass support.
 * Auto sudoers file (#269).
 * option for latency control buffer size.
 * Docs: FreeBSD'.
 * Docs: Nix'.
 * Docs: openwrt'.
 * Docs: install instructions for Fedora'.
 * Docs: install instructions for Arch Linux'.
 * Docs: 'My VPN broke and need a solution fast'.
 Removed
 ~~~~~~~
 * Python 2.6 support.
 * Python 2.7 support.
 Fixed
 ~~~~~
 * Remove debug message for getpeername failure.
 * Fix crash triggered by port scans closing socket.
 * Added "Running as a service" to docs.
 * Systemd integration.
 * Trap UnicodeError to handle cases where hostnames returned by DNS are invalid.
 * Formatting error in CHANGES.rst
 * Various errors in documentation.
 * Nftables based method.
 * Make hostwatch locale-independent (#379).
 * Add tproxy udp port mark filter that was missed in #144, fixes #367.
 * Capturing of local DNS servers.
 * Crashing on ECONNABORTED.
 * Size of pf_rule, which grew in OpenBSD 6.4.
 * Use prompt for sudo, not needed for doas.
 * Arch linux installation instructions.
 * tests for existing PR-312 (#337).
 * Hyphen in hostname.
 * Assembler import (#319).
 0.78.5 - 2019-01-28
 -------------------
 Added
 ~~~~~
 * doas support as replacmeent for sudo on OpenBSD.
 * Added ChromeOS section to documentation (#262)
 * Add --no-sudo-pythonpath option
 Fixed
 ~~~~~
 * Fix forwarding to a single port.
 * Various updates to documentation.
 * Don't crash if we can't look up peername
 * Fix missing string formatting argument
 * Moved sshuttle/tests into tests.
 * Updated bandit config.
 * Replace path /dev/null by os.devnull.
 * Added coverage report to tests.
 * Fixes support for OpenBSD (6.1+) (#282).
 * Close stdin, stdout, and stderr when using syslog or forking to daemon (#283).
 * Changes pf exclusion rules precedence.
 * Fix deadlock with iptables with large ruleset.
 * docs: document --ns-hosts --to-ns and update --dns.
 * Use subprocess.check_output instead of run.
 * Fix potential deadlock condition in nft_get_handle.
 * auto-nets: retrieve routes only if using auto-nets.
 0.78.4 - 2018-04-02
 -------------------
 Added
 ~~~~~
 * Add homebrew instructions.
 * Route traffic by linux user.
 * Add nat-like method using nftables instead of iptables.
 Changed
 ~~~~~~~
 * Talk to custom DNS server on pod, instead of the ones in /etc/resolv.conf.
 * Add new option for overriding destination DNS server.
 * Changed subnet parsing. Previously 10/8 become 10.0.0.0/8.  Now it gets
  parsed as 0.0.0.10/8.
 * Make hostwatch find both fqdn and hostname.
 * Use versions of python3 greater than 3.5 when available (e.g. 3.6).
 Removed
 ~~~~~~~
 * Remove Python 2.6 from automatic tests.
 Fixed
 ~~~~~
 * Fix case where there is no --dns.
 * [pf] Avoid port forwarding from loopback address.
 * Use getaddrinfo to obtain a correct sockaddr.
 * Skip empty lines on incoming routes data.
 * Just skip empty lines of routes data instead of stopping processing.
 * [pf] Load pf kernel module when enabling pf.
 * [pf] Test double restore (ipv4, ipv6) disables only once; test kldload.
 * Fixes UDP and DNS proxies binding to the same socket address.
 * Mock socket bind to avoid depending on local IPs being available in test box.
 * Fix no value passed for argument auto_hosts in hw_main call.
 * Fixed incorrect license information in setup.py.
 * Preserve peer and port properly.
 * Make --to-dns and --ns-host work well together.
 * Remove test that fails under OSX.
 * Specify pip requirements for tests.
 * Use flake8 to find Python syntax errors or undefined names.
 * Fix compatibility with the sudoers file.
 * Stop using SO_REUSEADDR on sockets.
 * Declare 'verbosity' as global variable to placate linters.
 * Adds 'cd sshuttle' after 'git' to README and docs.
 * Documentation for loading options from configuration file.
 * Load options from a file.
 * Fix firewall.py.
 * Move sdnotify after setting up firewall rules.
 * Fix tests on Macos.
 0.78.3 - 2017-07-09
 -------------------
 The "I should have done a git pull" first release.
--- a/README.rst
+++ b/README.rst
@ -23,15 +23,32 @@ common case:
 - You can't use openssh's PermitTunnel feature because
  it's disabled by default on openssh servers; plus it does
-  TCP-over-TCP, which has terrible performance (see below).
+  TCP-over-TCP, which has `terrible performance`_.
-
+  
 .. _terrible performance: https://sshuttle.readthedocs.io/en/stable/how-it-works.html
 Obtaining sshuttle
 ------------------
 - Ubuntu 16.04 or later::
      apt-get install sshuttle
 - Debian stretch or later::
      apt-get install sshuttle
 - Arch Linux::
      pacman -S sshuttle
 - Fedora::
      dnf install sshuttle
 - NixOS::
      nix-env -iA nixos.sshuttle
 - From PyPI::
@ -40,8 +57,16 @@ Obtaining sshuttle
 - Clone::
      git clone https://github.com/sshuttle/sshuttle.git
      cd sshuttle
      sudo ./setup.py install
 - FreeBSD::
      # ports
      cd /usr/ports/net/py-sshuttle && make install clean
      # pkg
      pkg install py36-sshuttle
 It is also possible to install into a virtualenv as a non-root user.
 - From PyPI::
@ -55,12 +80,28 @@ It is also possible to install into a virtualenv as a non-root user.
      virtualenv -p python3 /tmp/sshuttle
      . /tmp/sshuttle/bin/activate
      git clone https://github.com/sshuttle/sshuttle.git
      cd sshuttle
      ./setup.py install
 - Homebrew::
      brew install sshuttle
 - Nix::
      nix-env -iA nixpkgs.sshuttle
 Documentation
 -------------
 The documentation for the stable version is available at:
-http://sshuttle.readthedocs.org/
+https://sshuttle.readthedocs.org/
 The documentation for the latest development version is available at:
-http://sshuttle.readthedocs.org/en/latest/
+https://sshuttle.readthedocs.org/en/latest/
 Running as a service
 --------------------
 Sshuttle can also be run as a service and configured using a config management system: 
 https://medium.com/@mike.reider/using-sshuttle-as-a-service-bec2684a65fe
--- a/bandit.yml
+++ b/bandit.yml
@ -0,0 +1,9 @@
 exclude_dirs:
  - tests
 skips:
  - B101
  - B104
  - B404
  - B603
  - B606
  - B607
--- a/bin/sudoers-add
+++ b/bin/sudoers-add
@ -0,0 +1,76 @@
 #!/usr/bin/env bash
 # William Mantly <wmantly@gmail.com>
 # MIT License
 # https://github.com/wmantly/sudoers-add
 NEWLINE=$'\n'
 CONTENT=""
 ME="$(basename "$(test -L "$0" && readlink "$0" || echo "$0")")"
 if [ "$1" == "--help" ] || [ "$1" == "-h" ]; then
 	echo "Usage: $ME [file_path] [sudoers-file-name]"
 	echo "Usage: [content] | $ME sudoers-file-name"
 	echo "This will take a sudoers config validate it and add it to /etc/sudoers.d/{sudoers-file-name}"
 	echo "The config can come from a file, first usage example or piped in second example."
 	exit 0
 fi
 if [ "$1" == "" ]; then
 	(>&2 echo "This command take at lest one argument. See $ME --help")
 	exit 1	
 fi
 if [ "$2" == "" ]; then
 	FILE_NAME=$1
 	shift
 else
 	FILE_NAME=$2
 fi
 if [[ $EUID -ne 0 ]]; then
 	echo "This script must be run as root"
 	exit 1
 fi
 while read -r line
 do
 	CONTENT+="${line}${NEWLINE}"
 done < "${1:-/dev/stdin}"
 if [ "$CONTENT" == "" ]; then
 	(>&2 echo "No config content specified. See $ME --help")
 	exit 1
 fi
 if [ "$FILE_NAME" == "" ]; then
 	(>&2 echo "No sudoers file name specified. See $ME --help")
 	exit 1
 fi
 # Make a temp file to hold the sudoers config
 umask 077
 TEMP_FILE=$(mktemp)
 echo "$CONTENT" > "$TEMP_FILE"
 # Make sure the content is valid
 visudo_STDOUT=$(visudo -c -f "$TEMP_FILE" 2>&1)
 visudo_code=$?
 # The temp file is no longer needed
 rm "$TEMP_FILE"
 if [ $visudo_code -eq 0 ]; then
 	echo "$CONTENT" > "/etc/sudoers.d/$FILE_NAME"
 	chmod 0440 "/etc/sudoers.d/$FILE_NAME"
 	echo "The sudoers file /etc/sudoers.d/$FILE_NAME has been successfully created!"
 	exit 0
 else
 	echo "Invalid sudoers config!"
 	echo "$visudo_STDOUT"
 	exit 1
 fi
--- a/conftest.py
+++ b/conftest.py
@ -1,10 +0,0 @@
 import sys
 if sys.version_info >= (3, 0):
    good_python = sys.version_info >= (3, 5)
 else:
    good_python = sys.version_info >= (2, 7)
 collect_ignore = []
 if not good_python:
    collect_ignore.append("sshuttle/tests/client")
--- a/docs/chromeos.rst
+++ b/docs/chromeos.rst
@ -0,0 +1,12 @@
 Google ChromeOS
 ===============
 Currently there is no built in support for running sshuttle directly on
 Google ChromeOS/Chromebooks.
 What we can really do is to create a Linux VM with Crostini.  In the default
 stretch/Debian 9 VM, you can then install sshuttle as on any Linux box and
 it just works, as do xterms and ssvncviewer etc.
 https://www.reddit.com/r/Crostini/wiki/getstarted/crostini-setup-guide
--- a/docs/installation.rst
+++ b/docs/installation.rst
@ -5,7 +5,20 @@ Installation
      pip install sshuttle
 - Debain package manager::
      sudo apt install sshuttle
 - Clone::
      git clone https://github.com/sshuttle/sshuttle.git
      cd sshuttle
      ./setup.py install
 Optionally after installation
 -----------------------------
 - Add to sudoers file::
      sshuttle --sudoers
--- a/docs/manpage.rst
+++ b/docs/manpage.rst
@ -11,7 +11,7 @@ Description
 -----------
 :program:`sshuttle` allows you to create a VPN connection from your
 machine to any remote server that you can connect to via
-ssh, as long as that server has python 2.3 or higher.
+ssh, as long as that server has python 3.5 or higher.
 To work, you must have root access on the local machine,
 but you can have a normal account on the server.
@ -28,7 +28,7 @@ Options
 -------
 .. program:: sshuttle
-.. option:: subnets
+.. option:: <subnets>
    A list of subnets to route over the VPN, in the form
    ``a.b.c.d[/width][port[-port]]``.  Valid examples are 1.2.3.4 (a
@ -44,13 +44,13 @@ Options
    to during startup will be routed over the VPN. Valid examples are
    example.com, example.com:8000 and example.com:8000-9000.
-.. option:: --method [auto|nat|tproxy|pf]
+.. option:: --method <auto|nat|nft|tproxy|pf>
   Which firewall method should sshuttle use? For auto, sshuttle attempts to
   guess the appropriate method depending on what it can find in PATH. The
   default value is auto.
-.. option:: -l, --listen=[ip:]port
+.. option:: -l <[ip:]port>, --listen=<[ip:]port>
    Use this ip address and port number as the transparent
    proxy port.  By default :program:`sshuttle` finds an available
@ -65,7 +65,8 @@ Options
    :program:`sshuttle`, e.g. ``--listen localhost``.
    For the tproxy and pf methods this can be an IPv6 address. Use this option 
-    twice if required, to provide both IPv4 and IPv6 addresses.
+    with comma separated values if required, to provide both IPv4 and IPv6
    addresses, e.g. ``--listen 127.0.0.1:0,[::1]:0``.
 .. option:: -H, --auto-hosts
@ -94,7 +95,30 @@ Options
 .. option:: --dns
    Capture local DNS requests and forward to the remote DNS
-    server.
+    server. All queries to any of the local system's DNS
    servers (/etc/resolv.conf) will be intercepted and
    resolved on the remote side of the tunnel instead, there
    using the DNS specified via the :option:`--to-ns` option,
    if specified.
 .. option:: --ns-hosts=<server1[,server2[,server3[...]]]>
    Capture local DNS requests to the specified server(s)
    and forward to the remote DNS server. Contrary to the
    :option:`--dns` option, this flag allows to specify the
    DNS server(s) the queries to which to intercept,
    instead of intercepting all DNS traffic on the local
    machine. This can be useful when only certain DNS
    requests should be resolved on the remote side of the
    tunnel, e.g. in combination with dnsmasq.
 .. option:: --to-ns=<server>
    The DNS to forward requests to when remote DNS
    resolution is enabled. If not given, sshuttle will
    simply resolve using the system configured resolver on
    the remote side (via /etc/resolv.conf on the remote
    side).
 .. option:: --python
@ -102,14 +126,14 @@ Options
    The default is just ``python``, which means to use the
    default python interpreter on the remote system's PATH.
-.. option:: -r, --remote=[username@]sshserver[:port]
+.. option:: -r <[username@]sshserver[:port]>, --remote=<[username@]sshserver[:port]>
    The remote hostname and optional username and ssh
    port number to use for connecting to the remote server.
    For example, example.com, testuser@example.com,
    testuser@example.com:2222, or example.com:2244.
-.. option:: -x, --exclude=subnet
+.. option:: -x <subnet>, --exclude=<subnet>
    Explicitly exclude this subnet from forwarding.  The
    format of this option is the same as the ``<subnets>``
@ -118,7 +142,7 @@ Options
    ``0/0 -x 1.2.3.0/24`` to forward everything except the
    local subnet over the VPN, for example.
-.. option:: -X, --exclude-from=file
+.. option:: -X <file>, --exclude-from=<file>
    Exclude the subnets specified in a file, one subnet per
    line. Useful when you have lots of subnets to exclude.
@ -166,6 +190,13 @@ Options
    control feature, maximizing bandwidth usage.  Use at
    your own risk.
 .. option:: --latency-buffer-size
    Set the size of the buffer used in latency control. The
    default is ``32768``. Changing this option allows a compromise
    to be made between latency and bandwidth without completely
    disabling latency control (with :option:`--no-latency-control`).
 .. option:: -D, --daemon
    Automatically fork into the background after connecting
@ -177,7 +208,7 @@ Options
    :manpage:`syslog(3)` service instead of stderr.  This is
    implicit if you use :option:`--daemon`.
-.. option:: --pidfile=pidfilename
+.. option:: --pidfile=<pidfilename>
    when using :option:`--daemon`, save :program:`sshuttle`'s pid to
    *pidfilename*.  The default is ``sshuttle.pid`` in the
@ -204,6 +235,56 @@ Options
    makes it a lot easier to debug and test the :option:`--auto-hosts`
    feature.
 .. option:: --sudoers
    sshuttle will auto generate the proper sudoers.d config file and add it.
    Once this is completed, sshuttle will exit and tell the user if
    it succeed or not. Do not call this options with sudo, it may generate a
    incorrect config file.
 .. option:: --sudoers-no-modify
    sshuttle will auto generate the proper sudoers.d config and print it to
    stdout. The option will not modify the system at all.
 .. option:: --sudoers-user
    Set the user name or group with %group_name for passwordless operation.
    Default is the current user.set ALL for all users. Only works with
    --sudoers or --sudoers-no-modify option.
 .. option:: --sudoers-filename
    Set the file name for the sudoers.d file to be added. Default is
    "sshuttle_auto". Only works with --sudoers.
 .. option:: --version
    Print program version.
 Configuration File
 ------------------
 All the options described above can optionally be specified in a configuration
 file.
 To run :program:`sshuttle` with options defined in, e.g., `/etc/sshuttle.conf`
 just pass the path to the file preceded by the `@` character, e.g.
 `@/etc/sshuttle.conf`.
 When running :program:`sshuttle` with options defined in a configuration file,
 options can still be passed via the command line in addition to what is
 defined in the file. If a given option is defined both in the file and in
 the command line, the value in the command line will take precedence.
 Arguments read from a file must be one per line, as shown below::
    value
    --option1
    value1
    --option2
    value2
 Examples
 --------
@ -253,6 +334,24 @@ and subnet guessing::
    c : Keyboard interrupt: exiting.
    c : SW#6:192.168.42.121:60554: deleting
 Run :program:`sshuttle` with a `/etc/sshuttle.conf` configuration file::
    $ sshuttle @/etc/sshuttle.conf
 Use the options defined in `/etc/sshuttle.conf` but be more verbose::
    $ sshuttle @/etc/sshuttle.conf -vvv
 Override the remote server defined in `/etc/sshuttle.conf`::
    $ sshuttle @/etc/sshuttle.conf -r otheruser@test.example.com
 Example configuration file::
    192.168.0.0/16
    --remote
    user@example.com
 Discussion
 ----------
--- a/docs/openwrt.rst
+++ b/docs/openwrt.rst
@ -0,0 +1,8 @@
 OpenWRT
 ========
 Run::
    opkg install python3 python3-pip iptables-mod-extra iptables-mod-nat-extra iptables-mod-ipopt
    python3 /usr/bin/pip3 install sshuttle
    sshuttle -l 0.0.0.0 -r <IP> -x 192.168.1.1 0/0
--- a/docs/platform.rst
+++ b/docs/platform.rst
@ -6,5 +6,7 @@ Contents:
 .. toctree::
   :maxdepth: 2
   chromeos
   tproxy
   windows
   openwrt
--- a/docs/requirements.rst
+++ b/docs/requirements.rst
@ -6,7 +6,7 @@ Client side Requirements
 - sudo, or root access on your client machine.
  (The server doesn't need admin access.)
- Python 2.7 or Python 3.5.
+- Python 3.5 or greater.
 Linux with NAT method
@ -32,14 +32,6 @@ Supports:
 * IPv6 UDP (requires ``recvmsg`` - see below)
 * IPv6 DNS (requires ``recvmsg`` - see below)
 .. _PyXAPI: http://www.pps.univ-paris-diderot.fr/~ylg/PyXAPI/
 Full UDP or DNS support with the TPROXY method requires the ``recvmsg()``
 syscall. This is not available in Python 2, however it is in Python 3.5 and
 later. Under Python 2 you might find it sufficient to install PyXAPI_ in
 order to get the ``recvmsg()`` function. See :doc:`tproxy` for more
 information.
 MacOS / FreeBSD / OpenBSD / pfSense
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@ -65,16 +57,13 @@ cmd.exe with Administrator access. See :doc:`windows` for more information.
 Server side Requirements
 ------------------------
-The server can run in any version of Python between 2.4 and 3.6.
+
-However it is recommended that you use Python 2.7, Python 3.5 or later whenever
+- Python 3.5 or greater.
 possible as support for older versions might be dropped in the future.
 Additional Suggested Software
 -----------------------------
 - You may want to use autossh, available in various package management
  systems.
 - If you are using systemd, sshuttle can notify it when the connection to
  the remote end is established and the firewall rules are installed. For
  this feature to work you must configure the process start-up type for the
--- a/docs/usage.rst
+++ b/docs/usage.rst
@ -20,6 +20,11 @@ Forward all traffic::
      sshuttle -r username@sshserver 0/0
 - For 'My VPN broke and need a temporary solution FAST to access local IPv4 addresses'::
      sshuttle --dns -NHr username@sshserver 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16
 If you would also like your DNS queries to be proxied
 through the DNS server of the server you are connect to::
@ -60,3 +65,46 @@ the data back and forth through ssh.
 Fun, right?  A poor man's instant VPN, and you don't even have to have
 admin access on the server.
 Sudoers File
 ------------
 sshuttle can auto-generate the proper sudoers.d file using the current user 
 for Linux and OSX. Doing this will allow sshuttle to run without asking for
 the local sudo password and to give users who do not have sudo access
 ability to run sshuttle::
  sshuttle --sudoers
 DO NOT run this command with sudo, it will ask for your sudo password when
 it is needed.
 A costume user or group can be set with the :
 option:`sshuttle --sudoers --sudoers-username {user_descriptor}` option. Valid
 values for this vary based on how your system is configured. Values such as 
 usernames, groups pre-pended with `%` and sudoers user aliases will work. See
 the sudoers manual for more information on valid user specif actions.
 The options must be used with `--sudoers`::
  sshuttle --sudoers --sudoers-user mike
  sshuttle --sudoers --sudoers-user %sudo
 The name of the file to be added to sudoers.d can be configured as well. This
 is mostly not necessary but can be useful for giving more than one user
 access to sshuttle. The default is `sshuttle_auto`::
  sshuttle --sudoer --sudoers-filename sshuttle_auto_mike
  sshuttle --sudoer --sudoers-filename sshuttle_auto_tommy
 You can also see what configuration will be added to your system without
 modifying anything. This can be helpfull is the auto feature does not work, or
 you want more control. This option also works with `--sudoers-username`.
 `--sudoers-filename` has no effect with this option::
  sshuttle --sudoers-no-modify
 This will simply sprint the generated configuration to STDOUT. Example::
  08:40 PM william$ sshuttle --sudoers-no-modify
  Cmnd_Alias SSHUTTLE304 = /usr/bin/env PYTHONPATH=/usr/local/lib/python2.7/dist-packages/sshuttle-0.78.5.dev30+gba5e6b5.d20180909-py2.7.egg /usr/bin/python /usr/local/bin/sshuttle --method auto --firewall
  william ALL=NOPASSWD: SSHUTTLE304
--- a/requirements-tests.txt
+++ b/requirements-tests.txt
@ -0,0 +1,7 @@
 -r requirements.txt
 attrs==20.1.0
 pytest==6.0.1
 pytest-cov==2.10.1
 mock==2.0.0
 flake8==3.8.3
 pyflakes==2.2.0
--- a/requirements.txt
+++ b/requirements.txt
@ -1 +1 @@
-setuptools-scm==1.15.6
+setuptools-scm==4.1.2
--- a/26
+++ b/26
@ -1,11 +1,15 @@
-#!/bin/sh
+#!/usr/bin/env sh
-source_dir="$(dirname $0)"
+set -e
-(cd "$source_dir" && "$source_dir/setup.py" --version > /dev/null)
+export PYTHONPATH="$(dirname $0):$PYTHONPATH"
-export PYTHONPATH="$source_dir:$PYTHONPATH"
+export PATH="$(dirname $0)/bin:$PATH"
-if python3.5 -V >/dev/null 2>&1; then
+
-	exec python3.5 -m "sshuttle" "$@"
+python_best_version() {
-elif python2.7 -V >/dev/null 2>&1; then
+  if [ -x "$(command -v python3)" ] &&
-	exec python2.7 -m "sshuttle" "$@"
+      python3 -c "import sys; sys.exit(not sys.version_info > (3, 5))"; then
-else
+    exec python3 "$@"
-	exec python -m "sshuttle" "$@"
+  else
-fi
+    exec python "$@"
  fi
 }
 python_best_version -m "sshuttle" "$@"
--- a/setup.cfg
+++ b/setup.cfg
@ -7,3 +7,11 @@ universal = 1
 [upload]
 sign=true
 identity=0x1784577F811F6EAC
 [flake8]
 count=true
 show-source=true
 statistics=true
 [tool:pytest]
 addopts = --cov=sshuttle --cov-branch --cov-report=term-missing
--- a/setup.py
+++ b/setup.py
@ -2,20 +2,20 @@
 # Copyright 2012-2014 Brian May
 #
-# This file is part of python-tldap.
+# This file is part of sshuttle.
 #
-# python-tldap is free software: you can redistribute it and/or modify
+# sshuttle is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
+# it under the terms of the GNU Lesser General Public License as
-# the Free Software Foundation, either version 3 of the License, or
+# published by the Free Software Foundation; either version 2.1 of
-# (at your option) any later version.
+# the License, or (at your option) any later version.
 #
-# python-tldap is distributed in the hope that it will be useful,
+# sshuttle is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
+# GNU Lesser General Public License for more details.
 #
-# You should have received a copy of the GNU General Public License
+# You should have received a copy of the GNU Lesser General Public License
-# along with python-tldap  If not, see <http://www.gnu.org/licenses/>.
+# along with sshuttle; If not, see <http://www.gnu.org/licenses/>.
 from setuptools import setup, find_packages
@ -39,24 +39,35 @@ setup(
    author_email='brian@linuxpenguins.xyz',
    description='Full-featured" VPN over an SSH tunnel',
    packages=find_packages(),
-    license="GPL2+",
+    license="LGPL2.1+",
    long_description=open('README.rst').read(),
    long_description_content_type="text/x-rst",
    classifiers=[
        "Development Status :: 5 - Production/Stable",
        "Intended Audience :: Developers",
        "Intended Audience :: End Users/Desktop",
        "License :: OSI Approved :: "
-            "GNU General Public License v2 or later (GPLv2+)",
+            "GNU Lesser General Public License v2 or later (LGPLv2+)",
        "Operating System :: OS Independent",
        "Programming Language :: Python :: 2.7",
        "Programming Language :: Python :: 3.5",
        "Programming Language :: Python :: 3.6",
        "Programming Language :: Python :: 3.7",
        "Programming Language :: Python :: 3.8",
        "Topic :: System :: Networking",
    ],
    scripts=['bin/sudoers-add'],
    entry_points={
        'console_scripts': [
            'sshuttle = sshuttle.cmdline:main',
        ],
    },
-    tests_require=['pytest', 'pytest-runner', 'mock'],
+    python_requires='>=3.5',
    tests_require=[
        'pytest',
        'pytest-cov',
        'pytest-runner',
        'mock',
        'flake8',
    ],
    keywords="ssh vpn",
 )
--- a/sshuttle/assembler.py
+++ b/sshuttle/assembler.py
@ -1,7 +1,8 @@
 import sys
 import zlib
-import imp
+import types
 verbosity = verbosity  # noqa: F821 must be a previously defined global
 z = zlib.decompressobj()
 while 1:
    name = sys.stdin.readline().strip()
@ -14,14 +15,14 @@ while 1:
                             % (name, nbytes))
        content = z.decompress(sys.stdin.read(nbytes))
-        module = imp.new_module(name)
+        module = types.ModuleType(name)
        parents = name.rsplit(".", 1)
        if len(parents) == 2:
            parent, parent_name = parents
            setattr(sys.modules[parent], parent_name, module)
        code = compile(content, name, "exec")
-        exec(code, module.__dict__)
+        exec(code, module.__dict__)  # nosec
        sys.modules[name] = module
    else:
        break
@ -29,9 +30,12 @@ while 1:
 sys.stderr.flush()
 sys.stdout.flush()
-import sshuttle.helpers
+# import can only happen once the code has been transferred to
 # the server. 'noqa: E402' excludes these lines from QA checks.
 import sshuttle.helpers  # noqa: E402
 sshuttle.helpers.verbose = verbosity
-import sshuttle.cmdline_options as options
+import sshuttle.cmdline_options as options  # noqa: E402
-from sshuttle.server import main
+from sshuttle.server import main  # noqa: E402
-main(options.latency_control, options.auto_hosts)
+main(options.latency_control, options.auto_hosts, options.to_nameserver,
     options.auto_nets)
--- a/sshuttle/client.py
+++ b/sshuttle/client.py
@ -3,18 +3,23 @@ import re
 import signal
 import time
 import subprocess as ssubprocess
 import sshuttle.helpers as helpers
 import os
 import sys
 import platform
 import sshuttle.helpers as helpers
 import sshuttle.ssnet as ssnet
 import sshuttle.ssh as ssh
 import sshuttle.ssyslog as ssyslog
 import sshuttle.sdnotify as sdnotify
 import sys
 import platform
 from sshuttle.ssnet import SockWrapper, Handler, Proxy, Mux, MuxWrapper
 from sshuttle.helpers import log, debug1, debug2, debug3, Fatal, islocal, \
    resolvconf_nameservers
 from sshuttle.methods import get_method, Features
 try:
    from pwd import getpwnam
 except ImportError:
    getpwnam = None
 try:
    # try getting recvmsg from python
@ -30,7 +35,7 @@ except AttributeError:
    except ImportError:
        import socket
-_extra_fd = os.open('/dev/null', os.O_RDONLY)
+_extra_fd = os.open(os.devnull, os.O_RDONLY)
 def got_signal(signum, frame):
@ -90,7 +95,7 @@ def daemonize():
    # be deleted.
    signal.signal(signal.SIGTERM, got_signal)
-    si = open('/dev/null', 'r+')
+    si = open(os.devnull, 'r+')
    os.dup2(si.fileno(), 0)
    os.dup2(si.fileno(), 1)
    si.close()
@ -108,8 +113,8 @@ def daemon_cleanup():
 class MultiListener:
-    def __init__(self, type=socket.SOCK_STREAM, proto=0):
+    def __init__(self, kind=socket.SOCK_STREAM, proto=0):
-        self.type = type
+        self.type = kind
        self.proto = proto
        self.v6 = None
        self.v4 = None
@ -157,13 +162,11 @@ class MultiListener:
        self.bind_called = True
        if address_v6 is not None:
            self.v6 = socket.socket(socket.AF_INET6, self.type, self.proto)
            self.v6.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            self.v6.bind(address_v6)
        else:
            self.v6 = None
        if address_v4 is not None:
            self.v4 = socket.socket(socket.AF_INET, self.type, self.proto)
            self.v4.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
            self.v4.bind(address_v4)
        else:
            self.v4 = None
@ -182,7 +185,7 @@ class MultiListener:
 class FirewallClient:
-    def __init__(self, method_name):
+    def __init__(self, method_name, sudo_pythonpath):
        self.auto_nets = []
        python_path = os.path.dirname(os.path.dirname(__file__))
        argvbase = ([sys.executable, sys.argv[0]] +
@ -191,11 +194,15 @@ class FirewallClient:
                    ['--firewall'])
        if ssyslog._p:
            argvbase += ['--syslog']
-        argv_tries = [
+        # Default to sudo unless on OpenBSD in which case use built in `doas`
-            ['sudo', '-p', '[local sudo] Password: ',
+        if platform.platform().startswith('OpenBSD'):
-                ('PYTHONPATH=%s' % python_path), '--'] + argvbase,
+            elev_prefix = ['doas']
-            argvbase
+        else:
-        ]
+            elev_prefix = ['sudo', '-p', '[local sudo] Password: ']
        if sudo_pythonpath:
            elev_prefix += ['/usr/bin/env',
                            'PYTHONPATH=%s' % python_path]
        argv_tries = [elev_prefix + argvbase, argvbase]
        # we can't use stdin/stdout=subprocess.PIPE here, as we normally would,
        # because stupid Linux 'su' requires that stdin be attached to a tty.
@ -214,18 +221,14 @@ class FirewallClient:
                if argv[0] == 'su':
                    sys.stderr.write('[local su] ')
                self.p = ssubprocess.Popen(argv, stdout=s1, preexec_fn=setup)
                # No env: Talking to `FirewallClient.start`, which has no i18n.
                e = None
                break
-            except OSError as e:
+            except OSError:
                pass
        self.argv = argv
        s1.close()
-        if sys.version_info < (3, 0):
+        self.pfile = s2.makefile('rwb')
            # python 2.7
            self.pfile = s2.makefile('wb+')
        else:
            # python 3.5
            self.pfile = s2.makefile('rwb')
        if e:
            log('Spawning firewall manager: %r\n' % self.argv)
            raise Fatal(e)
@ -238,7 +241,8 @@ class FirewallClient:
        self.method.set_firewall(self)
    def setup(self, subnets_include, subnets_exclude, nslist,
-              redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4, udp):
+              redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4, udp,
              user):
        self.subnets_include = subnets_include
        self.subnets_exclude = subnets_exclude
        self.nslist = nslist
@ -247,6 +251,7 @@ class FirewallClient:
        self.dnsport_v6 = dnsport_v6
        self.dnsport_v4 = dnsport_v4
        self.udp = udp
        self.user = user
    def check(self):
        rv = self.p.poll()
@ -257,11 +262,13 @@ class FirewallClient:
        self.pfile.write(b'ROUTES\n')
        for (family, ip, width, fport, lport) \
                in self.subnets_include + self.auto_nets:
-            self.pfile.write(b'%d,%d,0,%s,%d,%d\n'
+            self.pfile.write(b'%d,%d,0,%s,%d,%d\n' % (family, width,
-                    % (family, width, ip.encode("ASCII"), fport, lport))
+                                                      ip.encode("ASCII"),
                                                      fport, lport))
        for (family, ip, width, fport, lport) in self.subnets_exclude:
-            self.pfile.write(b'%d,%d,1,%s,%d,%d\n'
+            self.pfile.write(b'%d,%d,1,%s,%d,%d\n' % (family, width,
-                    % (family, width, ip.encode("ASCII"), fport, lport))
+                                                      ip.encode("ASCII"),
                                                      fport, lport))
        self.pfile.write(b'NSLIST\n')
        for (family, ip) in self.nslist:
@ -276,8 +283,14 @@ class FirewallClient:
        udp = 0
        if self.udp:
            udp = 1
        if self.user is None:
            user = b'-'
        elif isinstance(self.user, str):
            user = bytes(self.user, 'utf-8')
        else:
            user = b'%d' % self.user
-        self.pfile.write(b'GO %d\n' % udp)
+        self.pfile.write(b'GO %d %s\n' % (udp, user))
        self.pfile.flush()
        line = self.pfile.readline()
@ -286,8 +299,8 @@ class FirewallClient:
            raise Fatal('%r expected STARTED, got %r' % (self.argv, line))
    def sethostip(self, hostname, ip):
-        assert(not re.search(b'[^-\w]', hostname))
+        assert(not re.search(rb'[^-\w\.]', hostname))
-        assert(not re.search(b'[^0-9.]', ip))
+        assert(not re.search(rb'[^0-9.]', ip))
        self.pfile.write(b'HOST %s,%s\n' % (hostname, ip))
        self.pfile.flush()
@ -338,7 +351,7 @@ def onaccept_tcp(listener, method, mux, handlers):
                sock, srcip = listener.accept()
                sock.close()
            finally:
-                _extra_fd = os.open('/dev/null', os.O_RDONLY)
+                _extra_fd = os.open(os.devnull, os.O_RDONLY)
            return
        else:
            raise
@ -377,7 +390,7 @@ def onaccept_udp(listener, method, mux, handlers):
    srcip, dstip, data = t
    debug1('Accept UDP: %r -> %r.\n' % (srcip, dstip,))
    if srcip in udp_by_src:
-        chan, timeout = udp_by_src[srcip]
+        chan, _ = udp_by_src[srcip]
    else:
        chan = mux.next_channel()
        mux.channels[chan] = lambda cmd, data: udp_done(
@ -415,7 +428,8 @@ def ondns(listener, method, mux, handlers):
 def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
          python, latency_control,
-          dns_listener, seed_hosts, auto_hosts, auto_nets, daemon):
+          dns_listener, seed_hosts, auto_hosts, auto_nets, daemon,
          to_nameserver):
    debug1('Starting client with Python version %s\n'
           % platform.python_version())
@ -434,13 +448,15 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
            ssh_cmd, remotename, python,
            stderr=ssyslog._p and ssyslog._p.stdin,
            options=dict(latency_control=latency_control,
-                auto_hosts=auto_hosts))
+                         auto_hosts=auto_hosts,
                         to_nameserver=to_nameserver,
                         auto_nets=auto_nets))
    except socket.error as e:
        if e.args[0] == errno.EPIPE:
            raise Fatal("failed to establish ssh session (1)")
        else:
            raise
-    mux = Mux(serversock, serversock)
+    mux = Mux(serversock.makefile("rb"), serversock.makefile("wb"))
    handlers.append(mux)
    expected = b'SSHUTTLE0001'
@ -475,6 +491,8 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
    def onroutes(routestr):
        if auto_nets:
            for line in routestr.strip().split(b'\n'):
                if not line:
                    continue
                (family, ip, width) = line.split(b',', 2)
                family = int(family)
                width = int(width)
@ -495,9 +513,14 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
        # set --auto-nets, we might as well wait for the message first, then
        # ignore its contents.
        mux.got_routes = None
-        fw.start()
+        serverready()
    mux.got_routes = onroutes
    def serverready():
        fw.start()
        sdnotify.send(sdnotify.ready(), sdnotify.status('Connected'))
    def onhostlist(hostlist):
        debug2('got host list: %r\n' % hostlist)
        for line in hostlist.strip().split():
@ -518,9 +541,6 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
        debug1('seed_hosts: %r\n' % seed_hosts)
        mux.send(0, ssnet.CMD_HOST_REQ, str.encode('\n'.join(seed_hosts)))
    sdnotify.send(sdnotify.ready(),
                  sdnotify.status('Connected to %s.' % remotename))
    while 1:
        rv = serverproc.poll()
        if rv:
@ -534,7 +554,13 @@ def _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
 def main(listenip_v6, listenip_v4,
         ssh_cmd, remotename, python, latency_control, dns, nslist,
         method_name, seed_hosts, auto_hosts, auto_nets,
-         subnets_include, subnets_exclude, daemon, pidfile):
+         subnets_include, subnets_exclude, daemon, to_nameserver, pidfile,
         user, sudo_pythonpath):
    if not remotename:
        # XXX: We can't make it required at the argparse level,
        #      because sshuttle calls out to itself in FirewallClient.
        raise Fatal("You must specify -r/--remote.")
    if daemon:
        try:
@ -544,11 +570,16 @@ def main(listenip_v6, listenip_v4,
            return 5
    debug1('Starting sshuttle proxy.\n')
-    fw = FirewallClient(method_name)
+    fw = FirewallClient(method_name, sudo_pythonpath)
    # Get family specific subnet lists
    if dns:
        nslist += resolvconf_nameservers()
        if to_nameserver is not None:
            to_nameserver = "%s@%s" % tuple(to_nameserver[1:])
    else:
        # option doesn't make sense if we aren't proxying dns
        to_nameserver = None
    subnets = subnets_include + subnets_exclude  # we don't care here
    subnets_v6 = [i for i in subnets if i[0] == socket.AF_INET6]
@ -566,10 +597,24 @@ def main(listenip_v6, listenip_v4,
        else:
            listenip_v6 = None
-    required.ipv6 = len(subnets_v6) > 0 or listenip_v6 is not None
+    if user is not None:
-    required.ipv4 = len(subnets_v4) > 0 or listenip_v4 is not None
+        if getpwnam is None:
            raise Fatal("Routing by user not available on this system.")
        try:
            user = getpwnam(user).pw_uid
        except KeyError:
            raise Fatal("User %s does not exist." % user)
    if fw.method.name != 'nat':
        required.ipv6 = len(subnets_v6) > 0 or listenip_v6 is not None
        required.ipv4 = len(subnets_v4) > 0 or listenip_v4 is not None
    else:
        required.ipv6 = None
        required.ipv4 = None
    required.udp = avail.udp
    required.dns = len(nslist) > 0
    required.user = False if user is None else True
    # if IPv6 not supported, ignore IPv6 DNS servers
    if not required.ipv6:
@ -585,6 +630,7 @@ def main(listenip_v6, listenip_v4,
    debug1("IPv6 enabled: %r\n" % required.ipv6)
    debug1("UDP enabled: %r\n" % required.udp)
    debug1("DNS enabled: %r\n" % required.dns)
    debug1("User enabled: %r\n" % required.user)
    # bind to required ports
    if listenip_v4 == "auto":
@ -604,6 +650,9 @@ def main(listenip_v6, listenip_v4,
    else:
        # if at least one port missing, we have to search
        ports = range(12300, 9000, -1)
        # keep track of failed bindings and used ports to avoid trying to
        # bind to the same socket address twice in different listeners
        used_ports = []
    # search for free ports and try to bind
    last_e = None
@ -645,10 +694,12 @@ def main(listenip_v6, listenip_v4,
            if udp_listener:
                udp_listener.bind(lv6, lv4)
            bound = True
            used_ports.append(port)
            break
        except socket.error as e:
            if e.errno == errno.EADDRINUSE:
                last_e = e
                used_ports.append(port)
            else:
                raise e
@ -668,6 +719,9 @@ def main(listenip_v6, listenip_v4,
        ports = range(12300, 9000, -1)
        for port in ports:
            debug2(' %d' % port)
            if port in used_ports:
                continue
            dns_listener = MultiListener(socket.SOCK_DGRAM)
            if listenip_v6:
@ -687,10 +741,12 @@ def main(listenip_v6, listenip_v4,
            try:
                dns_listener.bind(lv6, lv4)
                bound = True
                used_ports.append(port)
                break
            except socket.error as e:
                if e.errno == errno.EADDRINUSE:
                    last_e = e
                    used_ports.append(port)
                else:
                    raise e
        debug2('\n')
@ -706,22 +762,22 @@ def main(listenip_v6, listenip_v4,
    # Last minute sanity checks.
    # These should never fail.
    # If these do fail, something is broken above.
-    if len(subnets_v6) > 0:
+    if subnets_v6:
        assert required.ipv6
        if redirectport_v6 == 0:
            raise Fatal("IPv6 subnets defined but not listening")
-    if len(nslist_v6) > 0:
+    if nslist_v6:
        assert required.dns
        assert required.ipv6
        if dnsport_v6 == 0:
            raise Fatal("IPv6 ns servers defined but not listening")
-    if len(subnets_v4) > 0:
+    if subnets_v4:
        if redirectport_v4 == 0:
            raise Fatal("IPv4 subnets defined but not listening")
-    if len(nslist_v4) > 0:
+    if nslist_v4:
        if dnsport_v4 == 0:
            raise Fatal("IPv4 ns servers defined but not listening")
@ -735,19 +791,21 @@ def main(listenip_v6, listenip_v4,
    # start the firewall
    fw.setup(subnets_include, subnets_exclude, nslist,
             redirectport_v6, redirectport_v4, dnsport_v6, dnsport_v4,
-             required.udp)
+             required.udp, user)
    # start the client process
    try:
        return _main(tcp_listener, udp_listener, fw, ssh_cmd, remotename,
                     python, latency_control, dns_listener,
-                     seed_hosts, auto_hosts, auto_nets, daemon)
+                     seed_hosts, auto_hosts, auto_nets, daemon, to_nameserver)
    finally:
        try:
            if daemon:
                # it's not our child anymore; can't waitpid
                fw.p.returncode = 0
            fw.done()
            sdnotify.send(sdnotify.stop())
        finally:
            if daemon:
                daemon_cleanup()
--- a/sshuttle/cmdline.py
+++ b/sshuttle/cmdline.py
@ -1,5 +1,6 @@
 import re
 import socket
 import platform
 import sshuttle.helpers as helpers
 import sshuttle.client as client
 import sshuttle.firewall as firewall
@ -7,16 +8,35 @@ import sshuttle.hostwatch as hostwatch
 import sshuttle.ssyslog as ssyslog
 from sshuttle.options import parser, parse_ipport
 from sshuttle.helpers import family_ip_tuple, log, Fatal
 from sshuttle.sudoers import sudoers
 def main():
    opt = parser.parse_args()
    if opt.sudoers or opt.sudoers_no_modify:
        if platform.platform().startswith('OpenBSD'):
            log('Automatic sudoers does not work on BSD')
            exit(1)
        if not opt.sudoers_filename:
            log('--sudoers-file must be set or omited.')
            exit(1)
        sudoers(
            user_name=opt.sudoers_user,
            no_modify=opt.sudoers_no_modify,
            file_name=opt.sudoers_filename
        )
    if opt.daemon:
        opt.syslog = 1
    if opt.wrap:
        import sshuttle.ssnet as ssnet
        ssnet.MAX_CHANNEL = opt.wrap
    if opt.latency_buffer_size:
        import sshuttle.ssnet as ssnet
        ssnet.LATENCY_BUFFER_SIZE = opt.latency_buffer_size
    helpers.verbose = opt.verbose
    try:
@ -25,7 +45,7 @@ def main():
                parser.error('exactly zero arguments expected')
            return firewall.main(opt.method, opt.syslog)
        elif opt.hostwatch:
-            return hostwatch.hw_main(opt.subnets)
+            return hostwatch.hw_main(opt.subnets, opt.auto_hosts)
        else:
            includes = opt.subnets + opt.subnets_file
            excludes = opt.exclude
@ -45,8 +65,8 @@ def main():
            if opt.listen:
                ipport_v6 = None
                ipport_v4 = None
-                list = opt.listen.split(",")
+                lst = opt.listen.split(",")
-                for ip in list:
+                for ip in lst:
                    family, ip, port = parse_ipport(ip)
                    if family == socket.AF_INET6:
                        ipport_v6 = (ip, port)
@ -59,6 +79,8 @@ def main():
                ipport_v6 = "auto" if not opt.disable_ipv6 else None
            if opt.syslog:
                ssyslog.start_syslog()
                ssyslog.close_stdin()
                ssyslog.stdout_to_syslog()
                ssyslog.stderr_to_syslog()
            return_code = client.main(ipport_v6, ipport_v4,
                                      opt.ssh_cmd,
@ -73,12 +95,16 @@ def main():
                                      opt.auto_nets,
                                      includes,
                                      excludes,
-                                      opt.daemon, opt.pidfile)
+                                      opt.daemon,
                                      opt.to_ns,
                                      opt.pidfile,
                                      opt.user,
                                      opt.sudo_pythonpath)
            if return_code == 0:
                log('Normal exit code, exiting...')
            else:
-                log('Abnormal exit code detected, failing...' % return_code)
+                log('Abnormal exit code %d detected, failing...' % return_code)
            return return_code
    except Fatal as e:
--- a/sshuttle/firewall.py
+++ b/sshuttle/firewall.py
@ -1,11 +1,12 @@
 import errno
 import socket
 import signal
 import sshuttle.ssyslog as ssyslog
 import sys
 import os
 import platform
 import traceback
 import sshuttle.ssyslog as ssyslog
 from sshuttle.helpers import debug1, debug2, Fatal
 from sshuttle.methods import get_auto_method, get_method
@ -131,7 +132,7 @@ def main(method_name, syslog):
        try:
            (family, width, exclude, ip, fport, lport) = \
                    line.strip().split(',', 5)
-        except:
+        except BaseException:
            raise Fatal('firewall: expected route or NSLIST but got %r' % line)
        subnets.append((
            int(family),
@ -153,7 +154,7 @@ def main(method_name, syslog):
            break
        try:
            (family, ip) = line.strip().split(',', 1)
-        except:
+        except BaseException:
            raise Fatal('firewall: expected nslist or PORTS but got %r' % line)
        nslist.append((int(family), ip))
        debug2('firewall manager: Got partial nslist: %r\n' % nslist)
@ -164,7 +165,7 @@ def main(method_name, syslog):
    _, _, ports = line.partition(" ")
    ports = ports.split(",")
    if len(ports) != 4:
-        raise Fatal('firewall: expected 4 ports but got %n' % len(ports))
+        raise Fatal('firewall: expected 4 ports but got %d' % len(ports))
    port_v6 = int(ports[0])
    port_v4 = int(ports[1])
    dnsport_v6 = int(ports[2])
@ -188,9 +189,12 @@ def main(method_name, syslog):
    elif not line.startswith("GO "):
        raise Fatal('firewall: expected GO but got %r' % line)
-    _, _, udp = line.partition(" ")
+    _, _, args = line.partition(" ")
    udp, user = args.strip().split(" ", 1)
    udp = bool(int(udp))
-    debug2('firewall manager: Got udp: %r\n' % udp)
+    if user == '-':
        user = None
    debug2('firewall manager: Got udp: %r, user: %r\n' % (udp, user))
    subnets_v6 = [i for i in subnets if i[0] == socket.AF_INET6]
    nslist_v6 = [i for i in nslist if i[0] == socket.AF_INET6]
@ -200,17 +204,19 @@ def main(method_name, syslog):
    try:
        debug1('firewall manager: setting up.\n')
-        if len(subnets_v6) > 0 or len(nslist_v6) > 0:
+        if subnets_v6 or nslist_v6:
            debug2('firewall manager: setting up IPv6.\n')
            method.setup_firewall(
                port_v6, dnsport_v6, nslist_v6,
-                socket.AF_INET6, subnets_v6, udp)
+                socket.AF_INET6, subnets_v6, udp,
                user)
-        if len(subnets_v4) > 0 or len(nslist_v4) > 0:
+        if subnets_v4 or nslist_v4:
            debug2('firewall manager: setting up IPv4.\n')
            method.setup_firewall(
                port_v4, dnsport_v4, nslist_v4,
-                socket.AF_INET, subnets_v4, udp)
+                socket.AF_INET, subnets_v4, udp,
                user)
        stdout.write('STARTED\n')
@ -238,45 +244,44 @@ def main(method_name, syslog):
                break
    finally:
        try:
            sdnotify.send(sdnotify.stop())
            debug1('firewall manager: undoing changes.\n')
-        except:
+        except BaseException:
-            pass
+            debug2('An error occurred, ignoring it.')
        try:
-            if len(subnets_v6) > 0 or len(nslist_v6) > 0:
+            if subnets_v6 or nslist_v6:
                debug2('firewall manager: undoing IPv6 changes.\n')
-                method.restore_firewall(port_v6, socket.AF_INET6, udp)
+                method.restore_firewall(port_v6, socket.AF_INET6, udp, user)
-        except:
+        except BaseException:
            try:
                debug1("firewall manager: "
                       "Error trying to undo IPv6 firewall.\n")
                for line in traceback.format_exc().splitlines():
                    debug1("---> %s\n" % line)
-            except:
+            except BaseException:
-                pass
+                debug2('An error occurred, ignoring it.')
        try:
-            if len(subnets_v4) > 0 or len(nslist_v4) > 0:
+            if subnets_v4 or nslist_v4:
                debug2('firewall manager: undoing IPv4 changes.\n')
-                method.restore_firewall(port_v4, socket.AF_INET, udp)
+                method.restore_firewall(port_v4, socket.AF_INET, udp, user)
-        except:
+        except BaseException:
            try:
                debug1("firewall manager: "
                       "Error trying to undo IPv4 firewall.\n")
                for line in traceback.format_exc().splitlines():
                    debug1("firewall manager: ---> %s\n" % line)
-            except:
+            except BaseException:
-                pass
+                debug2('An error occurred, ignoring it.')
        try:
            debug2('firewall manager: undoing /etc/hosts changes.\n')
            restore_etc_hosts(port_v6 or port_v4)
-        except:
+        except BaseException:
            try:
                debug1("firewall manager: "
                       "Error trying to undo /etc/hosts changes.\n")
                for line in traceback.format_exc().splitlines():
                    debug1("firewall manager: ---> %s\n" % line)
-            except:
+            except BaseException:
-                pass
+                debug2('An error occurred, ignoring it.')
--- a/sshuttle/helpers.py
+++ b/sshuttle/helpers.py
@ -5,16 +5,9 @@ import errno
 logprefix = ''
 verbose = 0
 if sys.version_info[0] == 3:
    binary_type = bytes
-    def b(s):
+def b(s):
-        return s.encode("ASCII")
+    return s.encode("ASCII")
 else:
    binary_type = str
    def b(s):
        return s
 def log(s):
@ -56,22 +49,22 @@ class Fatal(Exception):
 def resolvconf_nameservers():
-    l = []
+    lines = []
    for line in open('/etc/resolv.conf'):
        words = line.lower().split()
        if len(words) >= 2 and words[0] == 'nameserver':
-            l.append(family_ip_tuple(words[1]))
+            lines.append(family_ip_tuple(words[1]))
-    return l
+    return lines
 def resolvconf_random_nameserver():
-    l = resolvconf_nameservers()
+    lines = resolvconf_nameservers()
-    if l:
+    if lines:
-        if len(l) > 1:
+        if len(lines) > 1:
            # don't import this unless we really need it
            import random
-            random.shuffle(l)
+            random.shuffle(lines)
-        return l[0]
+        return lines[0]
    else:
        return (socket.AF_INET, '127.0.0.1')
--- a/sshuttle/hostwatch.py
+++ b/sshuttle/hostwatch.py
@ -21,7 +21,7 @@ _smb_ok = True
 hostnames = {}
 queue = {}
 try:
-    null = open('/dev/null', 'wb')
+    null = open(os.devnull, 'wb')
 except IOError:
    _, e = sys.exc_info()[:2]
    log('warning: %s\n' % e)
@ -44,7 +44,7 @@ def write_host_cache():
    finally:
        try:
            os.unlink(tmpname)
-        except:
+        except BaseException:
            pass
@ -61,23 +61,27 @@ def read_host_cache():
        words = line.strip().split(',')
        if len(words) == 2:
            (name, ip) = words
-            name = re.sub(r'[^-\w]', '-', name).strip()
+            name = re.sub(r'[^-\w\.]', '-', name).strip()
            ip = re.sub(r'[^0-9.]', '', ip).strip()
            if name and ip:
                found_host(name, ip)
-def found_host(hostname, ip):
+def found_host(name, ip):
-    hostname = re.sub(r'\..*', '', hostname)
+    hostname = re.sub(r'\..*', '', name)
-    hostname = re.sub(r'[^-\w]', '_', hostname)
+    hostname = re.sub(r'[^-\w\.]', '_', hostname)
    if (ip.startswith('127.') or ip.startswith('255.') or
            hostname == 'localhost'):
        return
-    oldip = hostnames.get(hostname)
+
    if hostname != name:
        found_host(hostname, ip)
    oldip = hostnames.get(name)
    if oldip != ip:
-        hostnames[hostname] = ip
+        hostnames[name] = ip
-        debug1('Found: %s: %s\n' % (hostname, ip))
+        debug1('Found: %s: %s\n' % (name, ip))
-        sys.stdout.write('%s,%s\n' % (hostname, ip))
+        sys.stdout.write('%s,%s\n' % (name, ip))
        write_host_cache()
@ -104,7 +108,7 @@ def _check_revdns(ip):
        debug3('<    %s\n' % r[0])
        check_host(r[0])
        found_host(r[0], ip)
-    except socket.herror:
+    except (socket.herror, UnicodeError):
        pass
@ -115,15 +119,20 @@ def _check_dns(hostname):
        debug3('<    %s\n' % ip)
        check_host(ip)
        found_host(hostname, ip)
-    except socket.gaierror:
+    except (socket.gaierror, UnicodeError):
        pass
 def _check_netstat():
    debug2(' > netstat\n')
    env = {
        'PATH': os.environ['PATH'],
        'LC_ALL': "C",
    }
    argv = ['netstat', '-n']
    try:
-        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null)
+        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
                              env=env)
        content = p.stdout.read().decode("ASCII")
        p.wait()
    except OSError:
@ -141,10 +150,15 @@ def _check_smb(hostname):
    global _smb_ok
    if not _smb_ok:
        return
    argv = ['smbclient', '-U', '%', '-L', hostname]
    debug2(' > smb: %s\n' % hostname)
    env = {
        'PATH': os.environ['PATH'],
        'LC_ALL': "C",
    }
    argv = ['smbclient', '-U', '%', '-L', hostname]
    try:
-        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null)
+        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
                              env=env)
        lines = p.stdout.readlines()
        p.wait()
    except OSError:
@ -199,10 +213,15 @@ def _check_nmb(hostname, is_workgroup, is_master):
    global _nmb_ok
    if not _nmb_ok:
        return
    argv = ['nmblookup'] + ['-M'] * is_master + ['--', hostname]
    debug2(' > n%d%d: %s\n' % (is_workgroup, is_master, hostname))
    env = {
        'PATH': os.environ['PATH'],
        'LC_ALL': "C",
    }
    argv = ['nmblookup'] + ['-M'] * is_master + ['--', hostname]
    try:
-        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null)
+        p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, stderr=null,
                              env=env)
        lines = p.stdout.readlines()
        rv = p.wait()
    except OSError:
@ -247,7 +266,7 @@ def _enqueue(op, *args):
 def _stdin_still_ok(timeout):
-    r, w, x = select.select([sys.stdin.fileno()], [], [], timeout)
+    r, _, _ = select.select([sys.stdin.fileno()], [], [], timeout)
    if r:
        b = os.read(sys.stdin.fileno(), 4096)
        if not b:
--- a/sshuttle/linux.py
+++ b/sshuttle/linux.py
@ -23,13 +23,13 @@ def ipt_chain_exists(family, table, name):
        'PATH': os.environ['PATH'],
        'LC_ALL': "C",
    }
-    p = ssubprocess.Popen(argv, stdout=ssubprocess.PIPE, env=env)
+    try:
-    for line in p.stdout:
+        output = ssubprocess.check_output(argv, env=env)
-        if line.startswith(b'Chain %s ' % name.encode("ASCII")):
+        for line in output.decode('ASCII').split('\n'):
-            return True
+            if line.startswith('Chain %s ' % name):
-    rv = p.wait()
+                return True
-    if rv:
+    except ssubprocess.CalledProcessError as e:
-        raise Fatal('%r returned %d' % (argv, rv))
+        raise Fatal('%r returned %d' % (argv, e.returncode))
 def ipt(family, table, *args):
@ -49,6 +49,21 @@ def ipt(family, table, *args):
        raise Fatal('%r returned %d' % (argv, rv))
 def nft(family, table, action, *args):
    if family in (socket.AF_INET, socket.AF_INET6):
        argv = ['nft', action, 'inet', table] + list(args)
    else:
        raise Exception('Unsupported family "%s"' % family_to_string(family))
    debug1('>> %s\n' % ' '.join(argv))
    env = {
        'PATH': os.environ['PATH'],
        'LC_ALL': "C",
    }
    rv = ssubprocess.call(argv, env=env)
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
 _no_ttl_module = False
@ -56,10 +71,10 @@ def ipt_ttl(family, *args):
    global _no_ttl_module
    if not _no_ttl_module:
        # we avoid infinite loops by generating server-side connections
-        # with ttl 42.  This makes the client side not recapture those
+        # with ttl 63.  This makes the client side not recapture those
        # connections, in case client == server.
        try:
-            argsplus = list(args) + ['-m', 'ttl', '!', '--ttl', '42']
+            argsplus = list(args) + ['-m', 'ttl', '!', '--ttl', '63']
            ipt(family, *argsplus)
        except Fatal:
            ipt(family, *args)
--- a/sshuttle/methods/init.py
+++ b/sshuttle/methods/init.py
@ -35,17 +35,21 @@ class BaseMethod(object):
    def set_firewall(self, firewall):
        self.firewall = firewall
-    def get_supported_features(self):
+    @staticmethod
    def get_supported_features():
        result = Features()
        result.ipv6 = False
        result.udp = False
        result.dns = True
        result.user = False
        return result
-    def get_tcp_dstip(self, sock):
+    @staticmethod
    def get_tcp_dstip(sock):
        return original_dst(sock)
-    def recv_udp(self, udp_listener, bufsize):
+    @staticmethod
    def recv_udp(udp_listener, bufsize):
        debug3('Accept UDP using recvfrom.\n')
        data, srcip = udp_listener.recvfrom(bufsize)
        return (srcip, None, data)
@ -64,19 +68,21 @@ class BaseMethod(object):
    def assert_features(self, features):
        avail = self.get_supported_features()
-        for key in ["udp", "dns", "ipv6"]:
+        for key in ["udp", "dns", "ipv6", "user"]:
            if getattr(features, key) and not getattr(avail, key):
                raise Fatal(
                    "Feature %s not supported with method %s.\n" %
                    (key, self.name))
-    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
                       user):
        raise NotImplementedError()
-    def restore_firewall(self, port, family, udp):
+    def restore_firewall(self, port, family, udp, user):
        raise NotImplementedError()
-    def firewall_command(self, line):
+    @staticmethod
    def firewall_command(line):
        return False
@ -96,12 +102,14 @@ def get_method(method_name):
 def get_auto_method():
    if _program_exists('iptables'):
        method_name = "nat"
    elif _program_exists('nft'):
        method_name = "nft"
    elif _program_exists('pfctl'):
        method_name = "pf"
    elif _program_exists('ipfw'):
        method_name = "ipfw"
    else:
        raise Fatal(
-            "can't find either iptables or pfctl; check your PATH")
+            "can't find either iptables, nft or pfctl; check your PATH")
    return get_method(method_name)
--- a/sshuttle/methods/ipfw.py
+++ b/sshuttle/methods/ipfw.py
@ -1,6 +1,4 @@
 import os
 import sys
 import struct
 import subprocess as ssubprocess
 from sshuttle.methods import BaseMethod
 from sshuttle.helpers import log, debug1, debug3, \
@ -31,9 +29,9 @@ IPV6_RECVDSTADDR = 74
 if recvmsg == "python":
    def recv_udp(listener, bufsize):
        debug3('Accept UDP python using recvmsg.\n')
-        data, ancdata, msg_flags, srcip = listener.recvmsg(4096, socket.CMSG_SPACE(4))
+        data, ancdata, _, srcip = listener.recvmsg(4096,
                                                   socket.CMSG_SPACE(4))
        dstip = None
        family = None
        for cmsg_level, cmsg_type, cmsg_data in ancdata:
            if cmsg_level == socket.SOL_IP and cmsg_type == IP_RECVDSTADDR:
                port = 53
@ -44,13 +42,13 @@ if recvmsg == "python":
 elif recvmsg == "socket_ext":
    def recv_udp(listener, bufsize):
        debug3('Accept UDP using socket_ext recvmsg.\n')
-        srcip, data, adata, flags = listener.recvmsg((bufsize,), socket.CMSG_SPACE(4))
+        srcip, data, adata, _ = listener.recvmsg((bufsize,),
                                                 socket.CMSG_SPACE(4))
        dstip = None
        family = None
        for a in adata:
            if a.cmsg_level == socket.SOL_IP and a.cmsg_type == IP_RECVDSTADDR:
                port = 53
-                ip = socket.inet_ntop(socket.AF_INET, cmsg_data[0:4])
+                ip = socket.inet_ntop(socket.AF_INET, a.cmsg_data[0:4])
                dstip = (ip, port)
                break
        return (srcip, dstip, data[0])
@ -72,10 +70,10 @@ def ipfw_rule_exists(n):
    found = False
    for line in p.stdout:
        if line.startswith(b'%05d ' % n):
-            if not ('ipttl 42' in line or 'check-state' in line):
+            if not ('ipttl 63' in line or 'check-state' in line):
                log('non-sshuttle ipfw rule: %r\n' % line.strip())
                raise Fatal('non-sshuttle ipfw rule #%d already exists!' % n)
-                found = True
+            found = True
    rv = p.wait()
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
@ -107,7 +105,8 @@ def _fill_oldctls(prefix):
 def _sysctl_set(name, val):
    argv = ['sysctl', '-w', '%s=%s' % (name, val)]
    debug1('>> %s\n' % ' '.join(argv))
-    return ssubprocess.call(argv, stdout=open('/dev/null', 'w'))
+    return ssubprocess.call(argv, stdout=open(os.devnull, 'w'))
    # No env: No output. (Or error that won't be parsed.)
 _changedctls = []
@ -136,10 +135,12 @@ def sysctl_set(name, val, permanent=False):
            _changedctls.append(name)
        return True
 def ipfw(*args):
    argv = ['ipfw', '-q'] + list(args)
    debug1('>> %s\n' % ' '.join(argv))
    rv = ssubprocess.call(argv)
    # No env: No output. (Or error that won't be parsed.)
    if rv:
        raise Fatal('%r returned %d' % (argv, rv))
@ -148,19 +149,21 @@ def ipfw_noexit(*args):
    argv = ['ipfw', '-q'] + list(args)
    debug1('>> %s\n' % ' '.join(argv))
    ssubprocess.call(argv)
    # No env: No output. (Or error that won't be parsed.)
 class Method(BaseMethod):
-    
+
    def get_supported_features(self):
        result = super(Method, self).get_supported_features()
        result.ipv6 = False
-        result.udp = False #NOTE: Almost there, kernel patch needed
+        result.udp = False  # NOTE: Almost there, kernel patch needed
        result.dns = True
        return result
-    
+
    def get_tcp_dstip(self, sock):
        return sock.getsockname()
-    
+
    def recv_udp(self, udp_listener, bufsize):
        srcip, dstip, data = recv_udp(udp_listener, bufsize)
        if not dstip:
@ -177,85 +180,78 @@ class Method(BaseMethod):
               "couldn't determine source IP address\n" % (dstip,))
            return
-        #debug3('Sending SRC: %r DST: %r\n' % (srcip, dstip))
+        # debug3('Sending SRC: %r DST: %r\n' % (srcip, dstip))
        sender = socket.socket(sock.family, socket.SOCK_DGRAM)
        sender.setsockopt(socket.SOL_IP, IP_BINDANY, 1)
        sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        sender.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEPORT, 1)
-        sender.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
+        sender.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
        sender.bind(srcip)
-        sender.sendto(data,dstip)
+        sender.sendto(data, dstip)
        sender.close()
    def setup_udp_listener(self, udp_listener):
        if udp_listener.v4 is not None:
            udp_listener.v4.setsockopt(socket.SOL_IP, IP_RECVDSTADDR, 1)
-        #if udp_listener.v6 is not None:
+        # if udp_listener.v6 is not None:
-        #    udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVDSTADDR, 1)
+        #     udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVDSTADDR, 1)
-    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
                       user):
        # IPv6 not supported
-        if family not in [socket.AF_INET ]:
+        if family not in [socket.AF_INET]:
            raise Exception(
                'Address family "%s" unsupported by ipfw method_name'
                % family_to_string(family))
-    
+
-        #XXX: Any risk from this?
+        # XXX: Any risk from this?
        ipfw_noexit('delete', '1')
        while _changedctls:
            name = _changedctls.pop()
            oldval = _oldctls[name]
            _sysctl_set(name, oldval)
-    
+
        if subnets or dnsport:
            sysctl_set('net.inet.ip.fw.enable', 1)
-            
+
        ipfw('add', '1', 'check-state', 'ip',
             'from', 'any', 'to', 'any')
-        
+
        ipfw('add', '1', 'skipto', '2',
             'tcp',
             'from', 'any', 'to', 'table(125)')
        ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port,
             'tcp',
             'from', 'any', 'to', 'table(126)',
-             'not', 'ipttl', '42', 'keep-state', 'setup')
+             'not', 'ipttl', '63', 'keep-state', 'setup')
        ipfw_noexit('table', '124', 'flush')
        dnscount = 0
-        for f, ip in [i for i in nslist if i[0] == family]:
+        for _, ip in [i for i in nslist if i[0] == family]:
            ipfw('table', '124', 'add', '%s' % (ip))
            dnscount += 1
        if dnscount > 0:
            ipfw('add', '1', 'fwd', '127.0.0.1,%d' % dnsport,
                 'udp',
                 'from', 'any', 'to', 'table(124)',
-                 'not', 'ipttl', '42')
+                 'not', 'ipttl', '63')
-        """if udp:
+        ipfw('add', '1', 'allow',
            ipfw('add', '1', 'skipto', '2',
                 'udp',
                 'from', 'any', 'to', 'table(125)')
            ipfw('add', '1', 'fwd', '127.0.0.1,%d' % port,
                 'udp',
                 'from', 'any', 'to', 'table(126)',
                 'not', 'ipttl', '42')
        """
        ipfw('add', '1', 'allow', 
             'udp',
             'from', 'any', 'to', 'any',
-             'ipttl', '42')
+             'ipttl', '63')
        if subnets:
            # create new subnet entries
-            for f, swidth, sexclude, snet \
+            for _, swidth, sexclude, snet in sorted(subnets,
-                in sorted(subnets, key=lambda s: s[1], reverse=True):
+                                                    key=lambda s: s[1],
                                                    reverse=True):
                if sexclude:
                    ipfw('table', '125', 'add', '%s/%s' % (snet, swidth))
            else:
                ipfw('table', '126', 'add', '%s/%s' % (snet, swidth))
-    def restore_firewall(self, port, family, udp):
+    def restore_firewall(self, port, family, udp, user):
        if family not in [socket.AF_INET]:
            raise Exception(
                'Address family "%s" unsupported by tproxy method'
@ -265,4 +261,3 @@ class Method(BaseMethod):
        ipfw_noexit('table', '124', 'flush')
        ipfw_noexit('table', '125', 'flush')
        ipfw_noexit('table', '126', 'flush')
--- a/sshuttle/methods/nat.py
+++ b/sshuttle/methods/nat.py
@ -12,7 +12,8 @@ class Method(BaseMethod):
    # the multiple copies shouldn't have overlapping subnets, or only the most-
    # recently-started one will win (because we use "-I OUTPUT 1" instead of
    # "-A OUTPUT").
-    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
                       user):
        # only ipv4 supported with NAT
        if family != socket.AF_INET:
            raise Exception(
@ -29,18 +30,40 @@ class Method(BaseMethod):
        def _ipt_ttl(*args):
            return ipt_ttl(family, table, *args)
        def _ipm(*args):
            return ipt(family, "mangle", *args)
        chain = 'sshuttle-%s' % port
        # basic cleanup/setup of chains
-        self.restore_firewall(port, family, udp)
+        self.restore_firewall(port, family, udp, user)
        _ipt('-N', chain)
        _ipt('-F', chain)
-        _ipt('-I', 'OUTPUT', '1', '-j', chain)
+        if user is not None:
-        _ipt('-I', 'PREROUTING', '1', '-j', chain)
+            _ipm('-I', 'OUTPUT', '1', '-m', 'owner', '--uid-owner', str(user),
                 '-j', 'MARK', '--set-mark', str(port))
            args = '-m', 'mark', '--mark', str(port), '-j', chain
        else:
            args = '-j', chain
        _ipt('-I', 'OUTPUT', '1', *args)
        _ipt('-I', 'PREROUTING', '1', *args)
        # Firstly we always skip all LOCAL addtrype address, i.e. avoid
        # tunnelling the traffic designated to all local TCP/IP addresses.
        _ipt('-A', chain, '-j', 'RETURN',
             '-m', 'addrtype',
             '--dst-type', 'LOCAL',
             '!', '-p', 'udp')
        # Skip LOCAL traffic if it's not DNS.
        _ipt('-A', chain, '-j', 'RETURN',
             '-m', 'addrtype',
             '--dst-type', 'LOCAL',
             '-p', 'udp', '!', '--dport', '53')
        # create new subnet entries.
-        for f, swidth, sexclude, snet, fport, lport \
+        for _, swidth, sexclude, snet, fport, lport \
                in sorted(subnets, key=subnet_weight, reverse=True):
            tcp_ports = ('-p', 'tcp')
            if fport:
@ -55,14 +78,14 @@ class Method(BaseMethod):
                         '--dest', '%s/%s' % (snet, swidth),
                         *(tcp_ports + ('--to-ports', str(port))))
-        for f, ip in [i for i in nslist if i[0] == family]:
+        for _, ip in [i for i in nslist if i[0] == family]:
            _ipt_ttl('-A', chain, '-j', 'REDIRECT',
                     '--dest', '%s/32' % ip,
                     '-p', 'udp',
                     '--dport', '53',
                     '--to-ports', str(dnsport))
-    def restore_firewall(self, port, family, udp):
+    def restore_firewall(self, port, family, udp, user):
        # only ipv4 supported with NAT
        if family != socket.AF_INET:
            raise Exception(
@ -79,11 +102,25 @@ class Method(BaseMethod):
        def _ipt_ttl(*args):
            return ipt_ttl(family, table, *args)
        def _ipm(*args):
            return ipt(family, "mangle", *args)
        chain = 'sshuttle-%s' % port
        # basic cleanup/setup of chains
        if ipt_chain_exists(family, table, chain):
-            nonfatal(_ipt, '-D', 'OUTPUT', '-j', chain)
+            if user is not None:
-            nonfatal(_ipt, '-D', 'PREROUTING', '-j', chain)
+                nonfatal(_ipm, '-D', 'OUTPUT', '-m', 'owner', '--uid-owner',
                         str(user), '-j', 'MARK', '--set-mark', str(port))
                args = '-m', 'mark', '--mark', str(port), '-j', chain
            else:
                args = '-j', chain
            nonfatal(_ipt, '-D', 'OUTPUT', *args)
            nonfatal(_ipt, '-D', 'PREROUTING', *args)
            nonfatal(_ipt, '-F', chain)
            _ipt('-X', chain)
    def get_supported_features(self):
        result = super(Method, self).get_supported_features()
        result.user = True
        return result
--- a/sshuttle/methods/nft.py
+++ b/sshuttle/methods/nft.py
@ -0,0 +1,76 @@
 import socket
 from sshuttle.firewall import subnet_weight
 from sshuttle.linux import nft, nonfatal
 from sshuttle.methods import BaseMethod
 class Method(BaseMethod):
    # We name the chain based on the transproxy port number so that it's
    # possible to run multiple copies of sshuttle at the same time.  Of course,
    # the multiple copies shouldn't have overlapping subnets, or only the most-
    # recently-started one will win (because we use "-I OUTPUT 1" instead of
    # "-A OUTPUT").
    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
                       user):
        if udp:
            raise Exception("UDP not supported by nft")
        table = 'sshuttle-%s' % port
        def _nft(action, *args):
            return nft(family, table, action, *args)
        chain = table
        # basic cleanup/setup of chains
        _nft('add table', '')
        _nft('add chain', 'prerouting',
             '{ type nat hook prerouting priority -100; policy accept; }')
        _nft('add chain', 'output',
             '{ type nat hook output priority -100; policy accept; }')
        _nft('add chain', chain)
        _nft('flush chain', chain)
        _nft('add rule', 'output jump %s' % chain)
        _nft('add rule', 'prerouting jump %s' % chain)
        # create new subnet entries.
        for _, swidth, sexclude, snet, fport, lport \
                in sorted(subnets, key=subnet_weight, reverse=True):
            tcp_ports = ('ip', 'protocol', 'tcp')
            if fport and fport != lport:
                tcp_ports = \
                    tcp_ports + \
                    ('tcp', 'dport', '{ %d-%d }' % (fport, lport))
            elif fport and fport == lport:
                tcp_ports = tcp_ports + ('tcp', 'dport', '%d' % (fport))
            if sexclude:
                _nft('add rule', chain, *(tcp_ports + (
                     'ip daddr %s/%s' % (snet, swidth), 'return')))
            else:
                _nft('add rule', chain, *(tcp_ports + (
                     'ip daddr %s/%s' % (snet, swidth), 'ip ttl != 63',
                     ('redirect to :' + str(port)))))
        for _, ip in [i for i in nslist if i[0] == family]:
            if family == socket.AF_INET:
                _nft('add rule', chain, 'ip protocol udp ip daddr %s' % ip,
                     'udp dport { 53 }', 'ip ttl != 63',
                     ('redirect to :' + str(dnsport)))
            elif family == socket.AF_INET6:
                _nft('add rule', chain, 'ip6 protocol udp ip6 daddr %s' % ip,
                     'udp dport { 53 }', 'ip ttl != 63',
                     ('redirect to :' + str(dnsport)))
    def restore_firewall(self, port, family, udp, user):
        if udp:
            raise Exception("UDP not supported by nft method_name")
        table = 'sshuttle-%s' % port
        def _nft(action, *args):
            return nft(family, table, action, *args)
        # basic cleanup/setup of chains
        nonfatal(_nft, 'delete table', '')
--- a/sshuttle/methods/pf.py
+++ b/sshuttle/methods/pf.py
@ -3,6 +3,7 @@ import sys
 import platform
 import re
 import socket
 import errno
 import struct
 import subprocess as ssubprocess
 import shlex
@ -14,7 +15,11 @@ from sshuttle.helpers import debug1, debug2, debug3, Fatal, family_to_string
 from sshuttle.methods import BaseMethod
-_pf_context = {'started_by_sshuttle': False, 'Xtoken': []}
+_pf_context = {
    'started_by_sshuttle': 0,
    'loaded_by_sshuttle': True,
    'Xtoken': []
 }
 _pf_fd = None
@ -31,7 +36,7 @@ class Generic(object):
    class pf_addr(Structure):
        class _pfa(Union):
-             _fields_ = [("v4", c_uint32),     # struct in_addr
+            _fields_ = [("v4", c_uint32),      # struct in_addr
                        ("v6", c_uint32 * 4),  # struct in6_addr
                        ("addr8", c_uint8 * 16),
                        ("addr16", c_uint16 * 8),
@ -60,13 +65,14 @@ class Generic(object):
    def enable(self):
        if b'INFO:\nStatus: Disabled' in self.status:
            pfctl('-e')
-            _pf_context['started_by_sshuttle'] = True
+            _pf_context['started_by_sshuttle'] += 1
-    def disable(self, anchor):
+    @staticmethod
    def disable(anchor):
        pfctl('-a %s -F all' % anchor)
-        if _pf_context['started_by_sshuttle']:
+        if _pf_context['started_by_sshuttle'] == 1:
            pfctl('-d')
-            _pf_context['started_by_sshuttle'] = False
+        _pf_context['started_by_sshuttle'] -= 1
    def query_nat(self, family, proto, src_ip, src_port, dst_ip, dst_port):
        [proto, family, src_port, dst_port] = [
@ -94,11 +100,13 @@ class Generic(object):
        port = socket.ntohs(self._get_natlook_port(pnl.rdxport))
        return (ip, port)
-    def _add_natlook_ports(self, pnl, src_port, dst_port):
+    @staticmethod
    def _add_natlook_ports(pnl, src_port, dst_port):
        pnl.sxport = socket.htons(src_port)
        pnl.dxport = socket.htons(dst_port)
-    def _get_natlook_port(self, xport):
+    @staticmethod
    def _get_natlook_port(xport):
        return xport
    def add_anchors(self, anchor, status=None):
@ -108,39 +116,44 @@ class Generic(object):
        if ('\nanchor "%s"' % anchor).encode('ASCII') not in status:
            self._add_anchor_rule(self.PF_PASS, anchor.encode('ASCII'))
-    def _add_anchor_rule(self, type, name, pr=None):
+    def _add_anchor_rule(self, kind, name, pr=None):
        if pr is None:
            pr = self.pfioc_rule()
        memmove(addressof(pr) + self.ANCHOR_CALL_OFFSET, name,
                min(self.MAXPATHLEN, len(name)))  # anchor_call = name
        memmove(addressof(pr) + self.RULE_ACTION_OFFSET,
-                struct.pack('I', type), 4)  # rule.action = type
+                struct.pack('I', kind), 4)  # rule.action = kind
-        memmove(addressof(pr) + self.ACTION_OFFSET, struct.pack(
+        memmove(addressof(pr) + self.ACTION_OFFSET,
-            'I', self.PF_CHANGE_GET_TICKET), 4)  # action = PF_CHANGE_GET_TICKET
+                struct.pack('I', self.PF_CHANGE_GET_TICKET),
                4)  # action = PF_CHANGE_GET_TICKET
        ioctl(pf_get_dev(), pf.DIOCCHANGERULE, pr)
-        memmove(addressof(pr) + self.ACTION_OFFSET, struct.pack(
+        memmove(addressof(pr) + self.ACTION_OFFSET,
-            'I', self.PF_CHANGE_ADD_TAIL), 4)  # action = PF_CHANGE_ADD_TAIL
+                struct.pack('I', self.PF_CHANGE_ADD_TAIL),
                4)  # action = PF_CHANGE_ADD_TAIL
        ioctl(pf_get_dev(), pf.DIOCCHANGERULE, pr)
-    def _inet_version(self, family):
+    @staticmethod
    def _inet_version(family):
        return b'inet' if family == socket.AF_INET else b'inet6'
-    def _lo_addr(self, family):
+    @staticmethod
    def _lo_addr(family):
        return b'127.0.0.1' if family == socket.AF_INET else b'::1'
-    def add_rules(self, anchor, rules):
+    @staticmethod
    def add_rules(anchor, rules):
        assert isinstance(rules, bytes)
        debug3("rules:\n" + rules.decode("ASCII"))
        pfctl('-a %s -f /dev/stdin' % anchor, rules)
-    def has_skip_loopback(self):
+    @staticmethod
    def has_skip_loopback():
        return b'skip' in pfctl('-s Interfaces -i lo -v')[0]
 class FreeBsd(Generic):
    RULE_ACTION_OFFSET = 2968
@ -165,8 +178,19 @@ class FreeBsd(Generic):
        freebsd.pfioc_natlook = pfioc_natlook
        return freebsd
-    def __init__(self):
+    def enable(self):
-        super(FreeBsd, self).__init__()
+        returncode = ssubprocess.call(['kldload', 'pf'])
        # No env: No output.
        super(FreeBsd, self).enable()
        if returncode == 0:
            _pf_context['loaded_by_sshuttle'] = True
    def disable(self, anchor):
        super(FreeBsd, self).disable(anchor)
        if _pf_context['loaded_by_sshuttle'] and \
                _pf_context['started_by_sshuttle'] == 0:
            ssubprocess.call(['kldunload', 'pf'])
            # No env: No output.
    def add_anchors(self, anchor):
        status = pfctl('-s all')[0]
@ -174,14 +198,14 @@ class FreeBsd(Generic):
            self._add_anchor_rule(self.PF_RDR, anchor.encode('ASCII'))
        super(FreeBsd, self).add_anchors(anchor, status=status)
-    def _add_anchor_rule(self, type, name):
+    def _add_anchor_rule(self, kind, name, pr=None):
-        pr = self.pfioc_rule()
+        pr = pr or self.pfioc_rule()
        ppa = self.pfioc_pooladdr()
        ioctl(pf_get_dev(), self.DIOCBEGINADDRS, ppa)
        # pool ticket
        memmove(addressof(pr) + self.POOL_TICKET_OFFSET, ppa[4:8], 4)
-        super(FreeBsd, self)._add_anchor_rule(type, name, pr=pr)
+        super(FreeBsd, self)._add_anchor_rule(kind, name, pr=pr)
    def add_rules(self, anchor, includes, port, dnsport, nslist, family):
        inet_version = self._inet_version(family)
@ -189,19 +213,19 @@ class FreeBsd(Generic):
        tables = []
        translating_rules = [
-            b'rdr pass on lo0 %s proto tcp to %s '
+            b'rdr pass on lo0 %s proto tcp from ! %s to %s '
-            b'-> %s port %r' % (inet_version, subnet, lo_addr, port)
+            b'-> %s port %r' % (inet_version, lo_addr, subnet, lo_addr, port)
            for exclude, subnet in includes if not exclude
        ]
        filtering_rules = [
            b'pass out route-to lo0 %s proto tcp '
            b'to %s keep state' % (inet_version, subnet)
            if not exclude else
-            b'pass out quick %s proto tcp to %s' % (inet_version, subnet)
+            b'pass out %s proto tcp to %s' % (inet_version, subnet)
            for exclude, subnet in includes
        ]
-        if len(nslist) > 0:
+        if nslist:
            tables.append(
                b'table <dns_servers> {%s}' %
                b','.join([ns[1].encode("ASCII") for ns in nslist]))
@ -241,7 +265,7 @@ class OpenBsd(Generic):
                        ("proto_variant", c_uint8),
                        ("direction", c_uint8)]
-        self.pfioc_rule = c_char * 3400
+        self.pfioc_rule = c_char * 3424
        self.pfioc_natlook = pfioc_natlook
        super(OpenBsd, self).__init__()
@ -267,11 +291,11 @@ class OpenBsd(Generic):
            b'pass out %s proto tcp to %s '
            b'route-to lo0 keep state' % (inet_version, subnet)
            if not exclude else
-            b'pass out quick %s proto tcp to %s' % (inet_version, subnet)
+            b'pass out %s proto tcp to %s' % (inet_version, subnet)
            for exclude, subnet in includes
        ]
-        if len(nslist) > 0:
+        if nslist:
            tables.append(
                b'table <dns_servers> {%s}' %
                b','.join([ns[1].encode("ASCII") for ns in nslist]))
@ -400,7 +424,13 @@ class Method(BaseMethod):
    def get_tcp_dstip(self, sock):
        pfile = self.firewall.pfile
-        peer = sock.getpeername()
+        try:
            peer = sock.getpeername()
        except socket.error:
            _, e = sys.exc_info()[:2]
            if e.args[0] == errno.EINVAL:
                return sock.getsockname()
        proxy = sock.getsockname()
        argv = (sock.family, socket.IPPROTO_TCP,
@ -417,11 +447,8 @@ class Method(BaseMethod):
        return sock.getsockname()
-    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
-        tables = []
+                       user):
        translating_rules = []
        filtering_rules = []
        if family not in [socket.AF_INET, socket.AF_INET6]:
            raise Exception(
                'Address family "%s" unsupported by pf method_name'
@ -429,13 +456,13 @@ class Method(BaseMethod):
        if udp:
            raise Exception("UDP not supported by pf method_name")
-        if len(subnets) > 0:
+        if subnets:
            includes = []
            # If a given subnet is both included and excluded, list the
            # exclusion first; the table will ignore the second, opposite
            # definition
-            for f, swidth, sexclude, snet, fport, lport \
+            for _, swidth, sexclude, snet, fport, lport \
-                    in sorted(subnets, key=subnet_weight, reverse=True):
+                    in sorted(subnets, key=subnet_weight):
                includes.append((sexclude, b"%s/%d%s" % (
                    snet.encode("ASCII"),
                    swidth,
@ -446,7 +473,7 @@ class Method(BaseMethod):
        pf.add_rules(anchor, includes, port, dnsport, nslist, family)
        pf.enable()
-    def restore_firewall(self, port, family, udp):
+    def restore_firewall(self, port, family, udp, user):
        if family not in [socket.AF_INET, socket.AF_INET6]:
            raise Exception(
                'Address family "%s" unsupported by pf method_name'
--- a/sshuttle/methods/tproxy.py
+++ b/sshuttle/methods/tproxy.py
@ -33,7 +33,7 @@ IPV6_RECVORIGDSTADDR = IPV6_ORIGDSTADDR
 if recvmsg == "python":
    def recv_udp(listener, bufsize):
        debug3('Accept UDP python using recvmsg.\n')
-        data, ancdata, msg_flags, srcip = listener.recvmsg(
+        data, ancdata, _, srcip = listener.recvmsg(
            4096, socket.CMSG_SPACE(24))
        dstip = None
        family = None
@ -64,7 +64,7 @@ if recvmsg == "python":
 elif recvmsg == "socket_ext":
    def recv_udp(listener, bufsize):
        debug3('Accept UDP using socket_ext recvmsg.\n')
-        srcip, data, adata, flags = listener.recvmsg(
+        srcip, data, adata, _ = listener.recvmsg(
            (bufsize,), socket.CMSG_SPACE(24))
        dstip = None
        family = None
@ -150,7 +150,8 @@ class Method(BaseMethod):
        if udp_listener.v6 is not None:
            udp_listener.v6.setsockopt(SOL_IPV6, IPV6_RECVORIGDSTADDR, 1)
-    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp):
+    def setup_firewall(self, port, dnsport, nslist, family, subnets, udp,
                       user):
        if family not in [socket.AF_INET, socket.AF_INET6]:
            raise Exception(
                'Address family "%s" unsupported by tproxy method'
@ -168,13 +169,12 @@ class Method(BaseMethod):
            return proto + ('--dport', '%d:%d' % (fport, lport)) \
                    if fport else proto
        mark_chain = 'sshuttle-m-%s' % port
        tproxy_chain = 'sshuttle-t-%s' % port
        divert_chain = 'sshuttle-d-%s' % port
        # basic cleanup/setup of chains
-        self.restore_firewall(port, family, udp)
+        self.restore_firewall(port, family, udp, user)
        _ipt('-N', mark_chain)
        _ipt('-F', mark_chain)
@ -193,7 +193,7 @@ class Method(BaseMethod):
            _ipt('-A', tproxy_chain, '-m', 'socket', '-j', divert_chain,
                 '-m', 'udp', '-p', 'udp')
-        for f, ip in [i for i in nslist if i[0] == family]:
+        for _, ip in [i for i in nslist if i[0] == family]:
            _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', '1',
                 '--dest', '%s/32' % ip,
                 '-m', 'udp', '-p', 'udp', '--dport', '53')
@ -203,7 +203,7 @@ class Method(BaseMethod):
                 '-m', 'udp', '-p', 'udp', '--dport', '53',
                 '--on-port', str(dnsport))
-        for f, swidth, sexclude, snet, fport, lport \
+        for _, swidth, sexclude, snet, fport, lport \
                in sorted(subnets, key=subnet_weight, reverse=True):
            tcp_ports = ('-p', 'tcp')
            tcp_ports = _ipt_proto_ports(tcp_ports, fport, lport)
@ -244,14 +244,15 @@ class Method(BaseMethod):
                else:
                    _ipt('-A', mark_chain, '-j', 'MARK', '--set-mark', '1',
                         '--dest', '%s/%s' % (snet, swidth),
-                         '-m', 'udp', '-p', 'udp')
+                         '-m', 'udp',
                         *udp_ports)
                    _ipt('-A', tproxy_chain, '-j', 'TPROXY',
                         '--tproxy-mark', '0x1/0x1',
                         '--dest', '%s/%s' % (snet, swidth),
                         '-m', 'udp',
                         *(udp_ports + ('--on-port', str(port))))
-    def restore_firewall(self, port, family, udp):
+    def restore_firewall(self, port, family, udp, user):
        if family not in [socket.AF_INET, socket.AF_INET6]:
            raise Exception(
                'Address family "%s" unsupported by tproxy method'
--- a/sshuttle/options.py
+++ b/sshuttle/options.py
@ -1,6 +1,7 @@
 import re
 import socket
 from argparse import ArgumentParser, Action, ArgumentTypeError as Fatal
 from sshuttle import __version__
@ -13,9 +14,9 @@ def parse_subnetport_file(s):
    raw_config_lines = handle.readlines()
    subnets = []
-    for line_no, line in enumerate(raw_config_lines):
+    for _, line in enumerate(raw_config_lines):
        line = line.strip()
-        if len(line) == 0:
+        if not line:
            continue
        if line[0] == '#':
            continue
@ -31,7 +32,7 @@ def parse_subnetport(s):
    if s.count(':') > 1:
        rx = r'(?:\[?([\w\:]+)(?:/(\d+))?]?)(?::(\d+)(?:-(\d+))?)?$'
    else:
-        rx = r'([\w\.]+)(?:/(\d+))?(?::(\d+)(?:-(\d+))?)?$'
+        rx = r'([\w\.\-]+)(?:/(\d+))?(?::(\d+)(?:-(\d+))?)?$'
    m = re.match(rx, s)
    if not m:
@ -62,7 +63,7 @@ def parse_ipport(s):
    elif ']' in s:
        rx = r'(?:\[([^]]+)])(?::(\d+))?$'
    else:
-        rx = r'([\w\.]+)(?::(\d+))?$'
+        rx = r'([\w\.\-]+)(?::(\d+))?$'
    m = re.match(rx, s)
    if not m:
@ -81,8 +82,8 @@ def parse_ipport(s):
    return (family,) + addr[:2]
-def parse_list(list):
+def parse_list(lst):
-    return re.split(r'[\s,]+', list.strip()) if list else []
+    return re.split(r'[\s,]+', lst.strip()) if lst else []
 class Concat(Action):
@ -98,7 +99,8 @@ class Concat(Action):
 parser = ArgumentParser(
    prog="sshuttle",
-    usage="%(prog)s [-l [ip:]port] [-r [user@]sshserver[:port]] <subnets...>"
+    usage="%(prog)s [-l [ip:]port] [-r [user@]sshserver[:port]] <subnets...>",
    fromfile_prefix_chars="@"
 )
 parser.add_argument(
    "subnets",
@ -120,7 +122,8 @@ parser.add_argument(
    "-H", "--auto-hosts",
    action="store_true",
    help="""
-    continuously scan for remote hostnames and update local /etc/hosts as they are found
+    continuously scan for remote hostnames and update local /etc/hosts as
    they are found
    """
 )
 parser.add_argument(
@ -146,9 +149,19 @@ parser.add_argument(
    capture and forward DNS requests made to the following servers
    """
 )
 parser.add_argument(
    "--to-ns",
    metavar="IP[:PORT]",
    type=parse_ipport,
    help="""
    the DNS server to forward requests to; defaults to servers in
    /etc/resolv.conf on remote side if not given.
    """
 )
 parser.add_argument(
    "--method",
-    choices=["auto", "nat", "tproxy", "pf", "ipfw"],
+    choices=["auto", "nat", "nft", "tproxy", "pf", "ipfw"],
    metavar="TYPE",
    default="auto",
    help="""
@ -164,9 +177,9 @@ parser.add_argument(
 )
 parser.add_argument(
    "-r", "--remote",
-    metavar="[USERNAME@]ADDR[:PORT]",
+    metavar="[USERNAME[:PASSWORD]@]ADDR[:PORT]",
    help="""
-    ssh hostname (and optional username) of remote %(prog)s server
+    ssh hostname (and optional username and password) of remote %(prog)s server
    """
 )
 parser.add_argument(
@ -218,7 +231,8 @@ parser.add_argument(
    metavar="HOSTNAME[,HOSTNAME]",
    default=[],
    help="""
-    comma-separated list of hostnames for initial scan (may be used with or without --auto-hosts)
+    comma-separated list of hostnames for initial scan (may be used with
    or without --auto-hosts)
    """
 )
 parser.add_argument(
@ -229,6 +243,16 @@ parser.add_argument(
    sacrifice latency to improve bandwidth benchmarks
    """
 )
 parser.add_argument(
    "--latency-buffer-size",
    metavar="SIZE",
    type=int,
    default=32768,
    dest="latency_buffer_size",
    help="""
    size of latency control buffer
    """
 )
 parser.add_argument(
    "--wrap",
    metavar="NUM",
@ -277,6 +301,12 @@ parser.add_argument(
    pidfile name (only if using --daemon) [%(default)s]
    """
 )
 parser.add_argument(
    "--user",
    help="""
    apply all the rules only to this linux user
    """
 )
 parser.add_argument(
    "--firewall",
    action="store_true",
@ -291,3 +321,42 @@ parser.add_argument(
    (internal use only)
    """
 )
 parser.add_argument(
    "--sudoers",
    action="store_true",
    help="""
    Add sshuttle to the sudoers for this user
    """
 )
 parser.add_argument(
    "--sudoers-no-modify",
    action="store_true",
    help="""
    Prints the sudoers config to STDOUT and DOES NOT modify anything.
    """
 )
 parser.add_argument(
    "--sudoers-user",
    default="",
    help="""
    Set the user name or group with %%group_name for passwordless operation.
    Default is the current user.set ALL for all users. Only works with
    --sudoers or --sudoers-no-modify option.
    """
 )
 parser.add_argument(
    "--sudoers-filename",
    default="sshuttle_auto",
    help="""
    Set the file name for the sudoers.d file to be added. Default is
    "sshuttle_auto". Only works with --sudoers or --sudoers-no-modify option.
    """
 )
 parser.add_argument(
    "--no-sudo-pythonpath",
    action="store_false",
    dest="sudo_pythonpath",
    help="""
    do not set PYTHONPATH when invoking sudo
    """
 )
--- a/sshuttle/sdnotify.py
+++ b/sshuttle/sdnotify.py
@ -1,7 +1,9 @@
 import socket
 import os
 from sshuttle.helpers import debug1
 def _notify(message):
    addr = os.environ.get("NOTIFY_SOCKET", None)
@ -9,14 +11,14 @@ def _notify(message):
        return False
    addr = '\0' + addr[1:] if addr[0] == '@' else addr
-    
+
    try:
        sock = socket.socket(socket.AF_UNIX, socket.SOCK_DGRAM)
    except (OSError, IOError) as e:
        debug1("Error creating socket to notify systemd: %s\n" % e)
        return False
-    if not message: 
+    if not message:
        return False
    assert isinstance(message, bytes)
@ -27,14 +29,18 @@ def _notify(message):
        debug1("Error notifying systemd: %s\n" % e)
        return False
 def send(*messages):
    return _notify(b'\n'.join(messages))
 def ready():
    return b"READY=1"
 def stop():
    return b"STOPPING=1"
 def status(message):
    return b"STATUS=%s" % message.encode('utf8')
--- a/sshuttle/server.py
+++ b/sshuttle/server.py
@ -6,6 +6,7 @@ import time
 import sys
 import os
 import platform
 from shutil import which
 import sshuttle.ssnet as ssnet
 import sshuttle.helpers as helpers
@ -15,17 +16,12 @@ from sshuttle.ssnet import Handler, Proxy, Mux, MuxWrapper
 from sshuttle.helpers import b, log, debug1, debug2, debug3, Fatal, \
    resolvconf_random_nameserver
 try:
    from shutil import which
 except ImportError:
    from distutils.spawn import find_executable as which
 def _ipmatch(ipstr):
    # FIXME: IPv4 only
    if ipstr == 'default':
        ipstr = '0.0.0.0/0'
-    m = re.match('^(\d+(\.\d+(\.\d+(\.\d+)?)?)?)(?:/(\d+))?$', ipstr)
+    m = re.match(r'^(\d+(\.\d+(\.\d+(\.\d+)?)?)?)(?:/(\d+))?$', ipstr)
    if m:
        g = m.groups()
        ips = g[0]
@ -160,7 +156,7 @@ class Hostwatch:
 class DnsProxy(Handler):
-    def __init__(self, mux, chan, request):
+    def __init__(self, mux, chan, request, to_nameserver):
        Handler.__init__(self, [])
        self.timeout = time.time() + 30
        self.mux = mux
@ -168,22 +164,43 @@ class DnsProxy(Handler):
        self.tries = 0
        self.request = request
        self.peers = {}
        self.to_ns_peer = None
        self.to_ns_port = None
        if to_nameserver is None:
            self.to_nameserver = None
        else:
            self.to_ns_peer, self.to_ns_port = to_nameserver.split("@")
            self.to_nameserver = self._addrinfo(self.to_ns_peer,
                                                self.to_ns_port)
        self.try_send()
    @staticmethod
    def _addrinfo(peer, port):
        if int(port) == 0:
            port = 53
        family, _, _, _, sockaddr = socket.getaddrinfo(peer, port)[0]
        return (family, sockaddr)
    def try_send(self):
        if self.tries >= 3:
            return
        self.tries += 1
-        family, peer = resolvconf_random_nameserver()
+        if self.to_nameserver is None:
            _, peer = resolvconf_random_nameserver()
            port = 53
        else:
            peer = self.to_ns_peer
            port = int(self.to_ns_port)
        family, sockaddr = self._addrinfo(peer, port)
        sock = socket.socket(family, socket.SOCK_DGRAM)
-        sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
+        sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
-        sock.connect((peer, 53))
+        sock.connect(sockaddr)
        self.peers[sock] = peer
-        debug2('DNS: sending to %r (try %d)\n' % (peer, self.tries))
+        debug2('DNS: sending to %r:%d (try %d)\n' % (peer, port, self.tries))
        try:
            sock.send(self.request)
            self.socks.append(sock)
@ -235,7 +252,7 @@ class UdpProxy(Handler):
        self.chan = chan
        self.sock = sock
        if family == socket.AF_INET:
-            self.sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
+            self.sock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
    def send(self, dstip, data):
        debug2('UDP: sending to %r port %d\n' % dstip)
@ -258,7 +275,7 @@ class UdpProxy(Handler):
        self.mux.send(self.chan, ssnet.CMD_UDP_DATA, hdr + data)
-def main(latency_control, auto_hosts):
+def main(latency_control, auto_hosts, to_nameserver, auto_nets):
    debug1('Starting server with Python version %s\n'
           % platform.python_version())
@ -268,21 +285,23 @@ def main(latency_control, auto_hosts):
        helpers.logprefix = 'server: '
    debug1('latency control setting = %r\n' % latency_control)
    routes = list(list_routes())
    debug1('available routes:\n')
    for r in routes:
        debug1('  %d/%s/%d\n' % r)
    # synchronization header
    sys.stdout.write('\0\0SSHUTTLE0001')
    sys.stdout.flush()
    handlers = []
-    mux = Mux(socket.fromfd(sys.stdin.fileno(),
+    mux = Mux(sys.stdin, sys.stdout)
                            socket.AF_INET, socket.SOCK_STREAM),
              socket.fromfd(sys.stdout.fileno(),
                            socket.AF_INET, socket.SOCK_STREAM))
    handlers.append(mux)
    debug1('auto-nets:' + str(auto_nets) + '\n')
    if auto_nets:
        routes = list(list_routes())
        debug1('available routes:\n')
        for r in routes:
            debug1('  %d/%s/%d\n' % r)
    else:
        routes = []
    routepkt = ''
    for r in routes:
        routepkt += '%d,%s,%d\n' % r
@ -309,7 +328,7 @@ def main(latency_control, auto_hosts):
    def got_host_req(data):
        if not hw.pid:
            (hw.pid, hw.sock) = start_hostwatch(
-                    data.strip().split(), auto_hosts)
+                    data.decode("ASCII").strip().split(), auto_hosts)
            handlers.append(Handler(socks=[hw.sock],
                                    callback=hostwatch_ready))
    mux.got_host_req = got_host_req
@ -332,7 +351,7 @@ def main(latency_control, auto_hosts):
    def dns_req(channel, data):
        debug2('Incoming DNS request channel=%d.\n' % channel)
-        h = DnsProxy(mux, channel, data)
+        h = DnsProxy(mux, channel, data, to_nameserver)
        handlers.append(h)
        dnshandlers[channel] = h
    mux.got_dns_req = dns_req
--- a/sshuttle/ssh.py
+++ b/sshuttle/ssh.py
@ -3,89 +3,94 @@ import os
 import re
 import socket
 import zlib
-import imp
+import importlib
 import importlib.util
 import subprocess as ssubprocess
 import shlex
 from shlex import quote
 import ipaddress
 from urllib.parse import urlparse
 import sshuttle.helpers as helpers
 from sshuttle.helpers import debug2
 try:
    # Python >= 3.5
    from shlex import quote
 except ImportError:
    # Python 2.x
    from pipes import quote
-
+def get_module_source(name):
-def readfile(name):
+    spec = importlib.util.find_spec(name)
-    tokens = name.split(".")
+    with open(spec.origin, "rt") as f:
-    f = None
+        return f.read().encode("utf-8")
    token = tokens[0]
    token_name = [token]
    token_str = ".".join(token_name)
    try:
        f, pathname, description = imp.find_module(token_str)
        for token in tokens[1:]:
            module = imp.load_module(token_str, f, pathname, description)
            if f is not None:
                f.close()
            token_name.append(token)
            token_str = ".".join(token_name)
            f, pathname, description = imp.find_module(
                token, module.__path__)
        if f is not None:
            contents = f.read()
        else:
            contents = ""
    finally:
        if f is not None:
            f.close()
    return contents.encode("UTF8")
 def empackage(z, name, data=None):
    if not data:
-        data = readfile(name)
+        data = get_module_source(name)
    content = z.compress(data)
    content += z.flush(zlib.Z_SYNC_FLUSH)
    return b'%s\n%d\n%s' % (name.encode("ASCII"), len(content), content)
 def parse_hostport(rhostport):
    """
    parses the given rhostport variable, looking like this:
            [username[:password]@]host[:port]
    if only host is given, can be a hostname, IPv4/v6 address or a ssh alias
    from ~/.ssh/config
    and returns a tuple (username, password, port, host)
    """
    # leave use of default port to ssh command to prevent overwriting
    # ports configured in ~/.ssh/config when no port is given
    port = None
    username = None
    password = None
    host = rhostport
    if "@" in host:
        # split username (and possible password) from the host[:port]
        username, host = host.rsplit("@", 1)
        # Fix #410 bad username error detect
        if ":" in username:
            # this will even allow for the username to be empty
            username, password = username.split(":")
    if ":" in host:
        # IPv6 address and/or got a port specified
        # If it is an IPv6 adress with port specification,
        # then it will look like: [::1]:22
        try:
            # try to parse host as an IP adress,
            # if that works it is an IPv6 address
            host = str(ipaddress.ip_address(host))
        except ValueError:
            # if that fails parse as URL to get the port
            parsed = urlparse('//{}'.format(host))
            try:
                host = str(ipaddress.ip_address(parsed.hostname))
            except ValueError:
                # else if both fails, we have a hostname with port
                host = parsed.hostname
            port = parsed.port
    if password is None or len(password) == 0:
        password = None
    return username, password, port, host
 def connect(ssh_cmd, rhostport, python, stderr, options):
-    portl = []
+    username, password, port, host = parse_hostport(rhostport)
-
+    if username:
-    if re.sub(r'.*@', '', rhostport or '').count(':') > 1:
+        rhost = "{}@{}".format(username, host)
-        if rhostport.count(']') or rhostport.count('['):
+    else:
-            result = rhostport.split(']')
+        rhost = host
            rhost = result[0].strip('[')
            if len(result) > 1:
                result[1] = result[1].strip(':')
                if result[1] is not '':
                    portl = ['-p', str(int(result[1]))]
        # can't disambiguate IPv6 colons and a port number. pass the hostname
        # through.
        else:
            rhost = rhostport
    else:  # IPv4
        l = (rhostport or '').rsplit(':', 1)
        rhost = l[0]
        if len(l) > 1:
            portl = ['-p', str(int(l[1]))]
    if rhost == '-':
        rhost = None
    z = zlib.compressobj(1)
-    content = readfile('sshuttle.assembler')
+    content = get_module_source('sshuttle.assembler')
    optdata = ''.join("%s=%r\n" % (k, v) for (k, v) in list(options.items()))
    optdata = optdata.encode("UTF8")
    content2 = (empackage(z, 'sshuttle') +
@ -113,15 +118,27 @@ def connect(ssh_cmd, rhostport, python, stderr, options):
            sshl = shlex.split(ssh_cmd)
        else:
            sshl = ['ssh']
        if port is not None:
            portl = ["-p", str(port)]
        else:
            portl = []
        if python:
            pycmd = "'%s' -c '%s'" % (python, pyscript)
        else:
-            pycmd = ("P=python3.5; $P -V 2>/dev/null || P=python; "
+            pycmd = ("P=python3; $P -V 2>%s || P=python; "
-                     "exec \"$P\" -c %s") % quote(pyscript)
+                     "exec \"$P\" -c %s") % (os.devnull, quote(pyscript))
-            pycmd = ("exec /bin/sh -c %s" % quote(pycmd))
+            pycmd = ("/bin/sh -c {}".format(quote(pycmd)))
-        argv = (sshl +
+
-                portl +
+        if password is not None:
-                [rhost, '--', pycmd])
+            os.environ['SSHPASS'] = str(password)
            argv = (["sshpass", "-e"] + sshl +
                    portl +
                    [rhost, '--', pycmd])
        else:
            argv = (sshl +
                    portl +
                    [rhost, '--', pycmd])
    (s1, s2) = socket.socketpair()
    def setup():
--- a/sshuttle/ssnet.py
+++ b/sshuttle/ssnet.py
@ -4,19 +4,19 @@ import socket
 import errno
 import select
 import os
-from sshuttle.helpers import b, binary_type, log, debug1, debug2, debug3, Fatal
+import fcntl
 from sshuttle.helpers import b, log, debug1, debug2, debug3, Fatal
 MAX_CHANNEL = 65535
 LATENCY_BUFFER_SIZE = 32768
 # these don't exist in the socket module in python 2.3!
 SHUT_RD = 0
 SHUT_WR = 1
 SHUT_RDWR = 2
 HDR_LEN = 8
 CMD_EXIT = 0x4200
 CMD_PING = 0x4201
 CMD_PONG = 0x4202
@ -55,17 +55,18 @@ cmd_to_name = {
 NET_ERRS = [errno.ECONNREFUSED, errno.ETIMEDOUT,
            errno.EHOSTUNREACH, errno.ENETUNREACH,
            errno.EHOSTDOWN, errno.ENETDOWN,
-            errno.ENETUNREACH]
+            errno.ENETUNREACH, errno.ECONNABORTED,
            errno.ECONNRESET]
-def _add(l, elem):
+def _add(socks, elem):
-    if elem not in l:
+    if elem not in socks:
-        l.append(elem)
+        socks.append(elem)
-def _fds(l):
+def _fds(socks):
    out = []
-    for i in l:
+    for i in socks:
        try:
            out.append(i.fileno())
        except AttributeError:
@ -93,8 +94,12 @@ def _try_peername(sock):
            return '%s:%s' % (pn[0], pn[1])
    except socket.error:
        _, e = sys.exc_info()[:2]
-        if e.args[0] not in (errno.ENOTCONN, errno.ENOTSOCK):
+        if e.args[0] == errno.EINVAL:
            pass
        elif e.args[0] not in (errno.ENOTCONN, errno.ENOTSOCK):
            raise
    except AttributeError:
        pass
    return 'unknown'
@ -200,7 +205,8 @@ class SockWrapper:
                _, e = sys.exc_info()[:2]
                self.seterr('nowrite: %s' % e)
-    def too_full(self):
+    @staticmethod
    def too_full():
        return False  # fullness is determined by the socket's select() state
    def uwrite(self, buf):
@ -270,7 +276,7 @@ class Handler:
    def callback(self, sock):
        log('--no callback defined-- %r\n' % self)
-        (r, w, x) = select.select(self.socks, [], [], 0)
+        (r, _, _) = select.select(self.socks, [], [], 0)
        for s in r:
            v = s.recv(4096)
            if not v:
@ -331,10 +337,10 @@ class Proxy(Handler):
 class Mux(Handler):
-    def __init__(self, rsock, wsock):
+    def __init__(self, rfile, wfile):
-        Handler.__init__(self, [rsock, wsock])
+        Handler.__init__(self, [rfile, wfile])
-        self.rsock = rsock
+        self.rfile = rfile
-        self.wsock = wsock
+        self.wfile = wfile
        self.new_channel = self.got_dns_req = self.got_routes = None
        self.got_udp_open = self.got_udp_data = self.got_udp_close = None
        self.got_host_req = self.got_host_list = None
@ -349,7 +355,7 @@ class Mux(Handler):
    def next_channel(self):
        # channel 0 is special, so we never allocate it
-        for timeout in range(1024):
+        for _ in range(1024):
            self.chani += 1
            if self.chani > MAX_CHANNEL:
                self.chani = 1
@ -363,7 +369,7 @@ class Mux(Handler):
        return total
    def check_fullness(self):
-        if self.fullness > 32768:
+        if self.fullness > LATENCY_BUFFER_SIZE:
            if not self.too_full:
                self.send(0, CMD_PING, b('rttest'))
            self.too_full = True
@ -374,7 +380,7 @@ class Mux(Handler):
        # log('outbuf: %d %r\n' % (self.amount_queued(), ob))
    def send(self, channel, cmd, data):
-        assert isinstance(data, binary_type)
+        assert isinstance(data, bytes)
        assert len(data) <= 65535
        p = struct.pack('!ccHHH', b('S'), b('S'), channel, cmd, len(data)) \
            + data
@ -431,9 +437,15 @@ class Mux(Handler):
                callback(cmd, data)
    def flush(self):
-        self.wsock.setblocking(False)
+        try:
            os.set_blocking(self.wfile.fileno(), False)
        except AttributeError:
            # python < 3.5
            flags = fcntl.fcntl(self.wfile.fileno(), fcntl.F_GETFL)
            flags |= os.O_NONBLOCK
            flags = fcntl.fcntl(self.wfile.fileno(), fcntl.F_SETFL, flags)
        if self.outbuf and self.outbuf[0]:
-            wrote = _nb_clean(os.write, self.wsock.fileno(), self.outbuf[0])
+            wrote = _nb_clean(os.write, self.wfile.fileno(), self.outbuf[0])
            debug2('mux wrote: %r/%d\n' % (wrote, len(self.outbuf[0])))
            if wrote:
                self.outbuf[0] = self.outbuf[0][wrote:]
@ -441,9 +453,15 @@ class Mux(Handler):
            self.outbuf[0:1] = []
    def fill(self):
        self.rsock.setblocking(False)
        try:
-            read = _nb_clean(os.read, self.rsock.fileno(), 32768)
+            os.set_blocking(self.rfile.fileno(), False)
        except AttributeError:
            # python < 3.5
            flags = fcntl.fcntl(self.rfile.fileno(), fcntl.F_GETFL)
            flags |= os.O_NONBLOCK
            flags = fcntl.fcntl(self.rfile.fileno(), fcntl.F_SETFL, flags)
        try:
            read = _nb_clean(os.read, self.rfile.fileno(), LATENCY_BUFFER_SIZE)
        except OSError:
            _, e = sys.exc_info()[:2]
            raise Fatal('other end: %r' % e)
@ -473,22 +491,22 @@ class Mux(Handler):
                break
    def pre_select(self, r, w, x):
-        _add(r, self.rsock)
+        _add(r, self.rfile)
        if self.outbuf:
-            _add(w, self.wsock)
+            _add(w, self.wfile)
    def callback(self, sock):
-        (r, w, x) = select.select([self.rsock], [self.wsock], [], 0)
+        (r, w, _) = select.select([self.rfile], [self.wfile], [], 0)
-        if self.rsock in r:
+        if self.rfile in r:
            self.handle()
-        if self.outbuf and self.wsock in w:
+        if self.outbuf and self.wfile in w:
            self.flush()
 class MuxWrapper(SockWrapper):
    def __init__(self, mux, channel):
-        SockWrapper.__init__(self, mux.rsock, mux.wsock)
+        SockWrapper.__init__(self, mux.rfile, mux.wfile)
        self.mux = mux
        self.channel = channel
        self.mux.channels[channel] = self.got_packet
@ -565,7 +583,7 @@ class MuxWrapper(SockWrapper):
 def connect_dst(family, ip, port):
    debug2('Connecting to %s:%d\n' % (ip, port))
    outsock = socket.socket(family)
-    outsock.setsockopt(socket.SOL_IP, socket.IP_TTL, 42)
+    outsock.setsockopt(socket.SOL_IP, socket.IP_TTL, 63)
    return SockWrapper(outsock, outsock,
                       connect_to=(ip, port),
                       peername='%s:%d' % (ip, port))
--- a/sshuttle/ssyslog.py
+++ b/sshuttle/ssyslog.py
@ -8,12 +8,24 @@ _p = None
 def start_syslog():
    global _p
-    _p = ssubprocess.Popen(['logger',
+    with open(os.devnull, 'w') as devnull:
-                            '-p', 'daemon.notice',
+        _p = ssubprocess.Popen(
-                            '-t', 'sshuttle'], stdin=ssubprocess.PIPE)
+            ['logger', '-p', 'daemon.notice', '-t', 'sshuttle'],
            stdin=ssubprocess.PIPE,
            stdout=devnull,
            stderr=devnull
        )
 def close_stdin():
    sys.stdin.close()
 def stdout_to_syslog():
    sys.stdout.flush()
    os.dup2(_p.stdin.fileno(), sys.stdout.fileno())
 def stderr_to_syslog():
    sys.stdout.flush()
    sys.stderr.flush()
-    os.dup2(_p.stdin.fileno(), 2)
+    os.dup2(_p.stdin.fileno(), sys.stderr.fileno())
--- a/sshuttle/sudoers.py
+++ b/sshuttle/sudoers.py
@ -0,0 +1,64 @@
 import os
 import sys
 import getpass
 from uuid import uuid4
 from subprocess import Popen, PIPE
 from sshuttle.helpers import log, debug1
 from distutils import spawn
 path_to_sshuttle = sys.argv[0]
 path_to_dist_packages = os.path.dirname(os.path.abspath(__file__))[:-9]
 # randomize command alias to avoid collisions
 command_alias = 'SSHUTTLE%(num)s' % {'num': uuid4().hex[-3:].upper()}
 # Template for the sudoers file
 template = '''
 Cmnd_Alias %(ca)s = /usr/bin/env PYTHONPATH=%(dist_packages)s %(py)s %(path)s *
 %(user_name)s ALL=NOPASSWD: %(ca)s
 '''
 def build_config(user_name):
    content = template % {
        'ca': command_alias,
        'dist_packages': path_to_dist_packages,
        'py': sys.executable,
        'path': path_to_sshuttle,
        'user_name': user_name,
    }
    return content
 def save_config(content, file_name):
    process = Popen([
        '/usr/bin/sudo',
        spawn.find_executable('sudoers-add'),
        file_name,
    ], stdout=PIPE, stdin=PIPE)
    process.stdin.write(content.encode())
    streamdata = process.communicate()[0]
    returncode = process.returncode
    if returncode:
        log('Failed updating sudoers file.\n')
        debug1(streamdata)
        exit(returncode)
    else:
        log('Success, sudoers file update.\n')
        exit(0)
 def sudoers(user_name=None, no_modify=None, file_name=None):
    user_name = user_name or getpass.getuser()
    content = build_config(user_name)
    if no_modify:
        sys.stdout.write(content)
        exit(0)
    else:
        save_config(content, file_name)
--- a/sshuttle/tests/client/test_firewall.py
+++ b/sshuttle/tests/client/test_firewall.py
@ -1,23 +1,23 @@
 from mock import Mock, patch, call
 import io
-import socket
+from socket import AF_INET, AF_INET6
 from mock import Mock, patch, call
 import sshuttle.firewall
 def setup_daemon():
    stdin = io.StringIO(u"""ROUTES
-2,24,0,1.2.3.0,8000,9000
+{inet},24,0,1.2.3.0,8000,9000
-2,32,1,1.2.3.66,8080,8080
+{inet},32,1,1.2.3.66,8080,8080
-10,64,0,2404:6800:4004:80c::,0,0
+{inet6},64,0,2404:6800:4004:80c::,0,0
-10,128,1,2404:6800:4004:80c::101f,80,80
+{inet6},128,1,2404:6800:4004:80c::101f,80,80
 NSLIST
-2,1.2.3.33
+{inet},1.2.3.33
-10,2404:6800:4004:80c::33
+{inet6},2404:6800:4004:80c::33
 PORTS 1024,1025,1026,1027
-GO 1
+GO 1 -
 HOST 1.2.3.3,existing
-""")
+""".format(inet=AF_INET, inet6=AF_INET6))
    stdout = Mock()
    return stdin, stdout
@ -61,32 +61,33 @@ def test_rewrite_etc_hosts(tmpdir):
 def test_subnet_weight():
    subnets = [
-        (socket.AF_INET, 16, 0, '192.168.0.0', 0, 0),
+        (AF_INET, 16, 0, '192.168.0.0', 0, 0),
-        (socket.AF_INET, 24, 0, '192.168.69.0', 0, 0),
+        (AF_INET, 24, 0, '192.168.69.0', 0, 0),
-        (socket.AF_INET, 32, 0, '192.168.69.70', 0, 0),
+        (AF_INET, 32, 0, '192.168.69.70', 0, 0),
-        (socket.AF_INET, 32, 1, '192.168.69.70', 0, 0),
+        (AF_INET, 32, 1, '192.168.69.70', 0, 0),
-        (socket.AF_INET, 32, 1, '192.168.69.70', 80, 80),
+        (AF_INET, 32, 1, '192.168.69.70', 80, 80),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 0, 0),
+        (AF_INET, 0, 1, '0.0.0.0', 0, 0),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 9000),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 9000),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 8500),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 8500),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 8000),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 8000),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 400, 450)
+        (AF_INET, 0, 1, '0.0.0.0', 400, 450)
    ]
    subnets_sorted = [
-        (socket.AF_INET, 32, 1, '192.168.69.70', 80, 80),
+        (AF_INET, 32, 1, '192.168.69.70', 80, 80),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 8000),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 8000),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 400, 450),
+        (AF_INET, 0, 1, '0.0.0.0', 400, 450),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 8500),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 8500),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 8000, 9000),
+        (AF_INET, 0, 1, '0.0.0.0', 8000, 9000),
-        (socket.AF_INET, 32, 1, '192.168.69.70', 0, 0),
+        (AF_INET, 32, 1, '192.168.69.70', 0, 0),
-        (socket.AF_INET, 32, 0, '192.168.69.70', 0, 0),
+        (AF_INET, 32, 0, '192.168.69.70', 0, 0),
-        (socket.AF_INET, 24, 0, '192.168.69.0', 0, 0),
+        (AF_INET, 24, 0, '192.168.69.0', 0, 0),
-        (socket.AF_INET, 16, 0, '192.168.0.0', 0, 0),
+        (AF_INET, 16, 0, '192.168.0.0', 0, 0),
-        (socket.AF_INET, 0, 1, '0.0.0.0', 0, 0)
+        (AF_INET, 0, 1, '0.0.0.0', 0, 0)
    ]
-    
+
-    assert subnets_sorted == \
+    assert subnets_sorted == sorted(subnets,
-            sorted(subnets, key=sshuttle.firewall.subnet_weight, reverse=True)
+                                    key=sshuttle.firewall.subnet_weight,
                                    reverse=True)
@patch('sshuttle.firewall.rewrite_etc_hosts')
@ -117,18 +118,20 @@ def test_main(mock_get_method, mock_setup_daemon, mock_rewrite_etc_hosts):
        call('not_auto'),
        call().setup_firewall(
            1024, 1026,
-            [(10, u'2404:6800:4004:80c::33')],
+            [(AF_INET6, u'2404:6800:4004:80c::33')],
-            10,
+            AF_INET6,
-            [(10, 64, False, u'2404:6800:4004:80c::', 0, 0),
+            [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 0, 0),
-                (10, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
+                (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
-            True),
+            True,
            None),
        call().setup_firewall(
            1025, 1027,
-            [(2, u'1.2.3.33')],
+            [(AF_INET, u'1.2.3.33')],
-            2,
+            AF_INET,
-            [(2, 24, False, u'1.2.3.0', 8000, 9000),
+            [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
-                (2, 32, True, u'1.2.3.66', 8080, 8080)],
+                (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
-            True),
+            True,
-        call().restore_firewall(1024, 10, True),
+            None),
-        call().restore_firewall(1025, 2, True),
+        call().restore_firewall(1024, AF_INET6, True, None),
        call().restore_firewall(1025, AF_INET, True, None),
    ]
--- a/sshuttle/tests/client/test_helpers.py
+++ b/sshuttle/tests/client/test_helpers.py
@ -1,8 +1,9 @@
 from mock import patch, call
 import sys
 import io
 import socket
 from socket import AF_INET, AF_INET6
 import errno
 from mock import patch, call
 import sshuttle.helpers
@ -132,10 +133,12 @@ nameserver 2404:6800:4004:80c::4
    ns = sshuttle.helpers.resolvconf_nameservers()
    assert ns == [
-        (2, u'192.168.1.1'), (2, u'192.168.2.1'),
+        (AF_INET, u'192.168.1.1'), (AF_INET, u'192.168.2.1'),
-        (2, u'192.168.3.1'), (2, u'192.168.4.1'),
+        (AF_INET, u'192.168.3.1'), (AF_INET, u'192.168.4.1'),
-        (10, u'2404:6800:4004:80c::1'), (10, u'2404:6800:4004:80c::2'),
+        (AF_INET6, u'2404:6800:4004:80c::1'),
-        (10, u'2404:6800:4004:80c::3'), (10, u'2404:6800:4004:80c::4')
+        (AF_INET6, u'2404:6800:4004:80c::2'),
        (AF_INET6, u'2404:6800:4004:80c::3'),
        (AF_INET6, u'2404:6800:4004:80c::4')
    ]
@ -155,37 +158,39 @@ nameserver 2404:6800:4004:80c::4
 """)
    ns = sshuttle.helpers.resolvconf_random_nameserver()
    assert ns in [
-        (2, u'192.168.1.1'), (2, u'192.168.2.1'),
+        (AF_INET, u'192.168.1.1'), (AF_INET, u'192.168.2.1'),
-        (2, u'192.168.3.1'), (2, u'192.168.4.1'),
+        (AF_INET, u'192.168.3.1'), (AF_INET, u'192.168.4.1'),
-        (10, u'2404:6800:4004:80c::1'), (10, u'2404:6800:4004:80c::2'),
+        (AF_INET6, u'2404:6800:4004:80c::1'),
-        (10, u'2404:6800:4004:80c::3'), (10, u'2404:6800:4004:80c::4')
+        (AF_INET6, u'2404:6800:4004:80c::2'),
        (AF_INET6, u'2404:6800:4004:80c::3'),
        (AF_INET6, u'2404:6800:4004:80c::4')
    ]
-def test_islocal():
+@patch('sshuttle.helpers.socket.socket.bind')
-    assert sshuttle.helpers.islocal("127.0.0.1", socket.AF_INET)
+def test_islocal(mock_bind):
-    assert not sshuttle.helpers.islocal("192.0.2.1", socket.AF_INET)
+    bind_error = socket.error(errno.EADDRNOTAVAIL)
-    assert sshuttle.helpers.islocal("::1", socket.AF_INET6)
+    mock_bind.side_effect = [None, bind_error, None, bind_error]
-    assert not sshuttle.helpers.islocal("2001:db8::1", socket.AF_INET6)
+
    assert sshuttle.helpers.islocal("127.0.0.1", AF_INET)
    assert not sshuttle.helpers.islocal("192.0.2.1", AF_INET)
    assert sshuttle.helpers.islocal("::1", AF_INET6)
    assert not sshuttle.helpers.islocal("2001:db8::1", AF_INET6)
 def test_family_ip_tuple():
    assert sshuttle.helpers.family_ip_tuple("127.0.0.1") \
-        == (socket.AF_INET, "127.0.0.1")
+        == (AF_INET, "127.0.0.1")
    assert sshuttle.helpers.family_ip_tuple("192.168.2.6") \
-        == (socket.AF_INET, "192.168.2.6")
+        == (AF_INET, "192.168.2.6")
    assert sshuttle.helpers.family_ip_tuple("::1") \
-        == (socket.AF_INET6, "::1")
+        == (AF_INET6, "::1")
    assert sshuttle.helpers.family_ip_tuple("2404:6800:4004:80c::1") \
-        == (socket.AF_INET6, "2404:6800:4004:80c::1")
+        == (AF_INET6, "2404:6800:4004:80c::1")
 def test_family_to_string():
-    assert sshuttle.helpers.family_to_string(socket.AF_INET) == "AF_INET"
+    assert sshuttle.helpers.family_to_string(AF_INET) == "AF_INET"
-    assert sshuttle.helpers.family_to_string(socket.AF_INET6) == "AF_INET6"
+    assert sshuttle.helpers.family_to_string(AF_INET6) == "AF_INET6"
-    if sys.version_info < (3, 0):
+    expected = 'AddressFamily.AF_UNIX'
        expected = "1"
        assert sshuttle.helpers.family_to_string(socket.AF_UNIX) == "1"
    else:
        expected = 'AddressFamily.AF_UNIX'
    assert sshuttle.helpers.family_to_string(socket.AF_UNIX) == expected
--- a/sshuttle/tests/client/test_methods_nat.py
+++ b/sshuttle/tests/client/test_methods_nat.py
@ -1,8 +1,9 @@
 import pytest
 from mock import Mock, patch, call
 import socket
 from socket import AF_INET, AF_INET6
 import struct
 import pytest
 from mock import Mock, patch, call
 from sshuttle.helpers import Fatal
 from sshuttle.methods import get_method
@ -18,7 +19,7 @@ def test_get_supported_features():
 def test_get_tcp_dstip():
    sock = Mock()
    sock.getsockopt.return_value = struct.pack(
-        '!HHBBBB', socket.ntohs(socket.AF_INET), 1024, 127, 0, 0, 1)
+        '!HHBBBB', socket.ntohs(AF_INET), 1024, 127, 0, 0, 1)
    method = get_method('nat')
    assert method.get_tcp_dstip(sock) == ('127.0.0.1', 1024)
    assert sock.mock_calls == [call.getsockopt(0, 80, 16)]
@ -84,11 +85,12 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
    with pytest.raises(Exception) as excinfo:
        method.setup_firewall(
            1024, 1026,
-            [(10, u'2404:6800:4004:80c::33')],
+            [(AF_INET6, u'2404:6800:4004:80c::33')],
-            10,
+            AF_INET6,
-            [(10, 64, False, u'2404:6800:4004:80c::', 0, 0),
+            [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 0, 0),
-                (10, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
+                (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 80, 80)],
-            True)
+            True,
            None)
    assert str(excinfo.value) \
        == 'Address family "AF_INET6" unsupported by nat method_name'
    assert mock_ipt_chain_exists.mock_calls == []
@ -98,11 +100,12 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
    with pytest.raises(Exception) as excinfo:
        method.setup_firewall(
            1025, 1027,
-            [(2, u'1.2.3.33')],
+            [(AF_INET, u'1.2.3.33')],
-            2,
+            AF_INET,
-            [(2, 24, False, u'1.2.3.0', 8000, 9000),
+            [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
-                (2, 32, True, u'1.2.3.66', 8080, 8080)],
+                (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
-            True)
+            True,
            None)
    assert str(excinfo.value) == 'UDP not supported by nat method_name'
    assert mock_ipt_chain_exists.mock_calls == []
    assert mock_ipt_ttl.mock_calls == []
@ -110,48 +113,55 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
    method.setup_firewall(
        1025, 1027,
-        [(2, u'1.2.3.33')],
+        [(AF_INET, u'1.2.3.33')],
-        2,
+        AF_INET,
-        [(2, 24, False, u'1.2.3.0', 8000, 9000),
+        [(AF_INET, 24, False, u'1.2.3.0', 8000, 9000),
-            (2, 32, True, u'1.2.3.66', 8080, 8080)],
+            (AF_INET, 32, True, u'1.2.3.66', 8080, 8080)],
-        False)
+        False,
        None)
    assert mock_ipt_chain_exists.mock_calls == [
-        call(2, 'nat', 'sshuttle-1025')
+        call(AF_INET, 'nat', 'sshuttle-1025')
    ]
    assert mock_ipt_ttl.mock_calls == [
-        call(2, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
-            '--dest', u'1.2.3.0/24', '-p', 'tcp', '--dport', '8000:9000',
+             '--dest', u'1.2.3.0/24', '-p', 'tcp', '--dport', '8000:9000',
             '--to-ports', '1025'),
-        call(2, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'REDIRECT',
             '--dest', u'1.2.3.33/32', '-p', 'udp',
             '--dport', '53', '--to-ports', '1027')
    ]
    assert mock_ipt.mock_calls == [
-        call(2, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-F', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-F', 'sshuttle-1025'),
-        call(2, 'nat', '-X', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-X', 'sshuttle-1025'),
-        call(2, 'nat', '-N', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-N', 'sshuttle-1025'),
-        call(2, 'nat', '-F', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-F', 'sshuttle-1025'),
-        call(2, 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-I', 'OUTPUT', '1', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-I', 'PREROUTING', '1', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-I', 'PREROUTING', '1', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
+        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
-            '--dest', u'1.2.3.66/32', '-p', 'tcp', '--dport', '8080:8080')
+             '-m', 'addrtype', '--dst-type', 'LOCAL',
             '!', '-p', 'udp'),
        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
             '-m', 'addrtype', '--dst-type', 'LOCAL',
             '-p', 'udp', '!', '--dport', '53'),
        call(AF_INET, 'nat', '-A', 'sshuttle-1025', '-j', 'RETURN',
             '--dest', u'1.2.3.66/32', '-p', 'tcp', '--dport', '8080:8080')
    ]
    mock_ipt_chain_exists.reset_mock()
    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()
-    method.restore_firewall(1025, 2, False)
+    method.restore_firewall(1025, AF_INET, False, None)
    assert mock_ipt_chain_exists.mock_calls == [
-        call(2, 'nat', 'sshuttle-1025')
+        call(AF_INET, 'nat', 'sshuttle-1025')
    ]
    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
-        call(2, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-D', 'OUTPUT', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-D', 'PREROUTING', '-j', 'sshuttle-1025'),
-        call(2, 'nat', '-F', 'sshuttle-1025'),
+        call(AF_INET, 'nat', '-F', 'sshuttle-1025'),
-        call(2, 'nat', '-X', 'sshuttle-1025')
+        call(AF_INET, 'nat', '-X', 'sshuttle-1025')
    ]
    mock_ipt_chain_exists.reset_mock()
    mock_ipt_ttl.reset_mock()
--- a/sshuttle/tests/client/test_methods_pf.py
+++ b/sshuttle/tests/client/test_methods_pf.py
@ -1,7 +1,8 @@
 import socket
 from socket import AF_INET, AF_INET6
 import pytest
 from mock import Mock, patch, call, ANY
 import socket
 from sshuttle.methods import get_method
 from sshuttle.helpers import Fatal
 from sshuttle.methods.pf import FreeBsd, Darwin, OpenBsd
@ -20,7 +21,7 @@ def test_get_tcp_dstip():
    sock = Mock()
    sock.getpeername.return_value = ("127.0.0.1", 1024)
    sock.getsockname.return_value = ("127.0.0.2", 1025)
-    sock.family = socket.AF_INET
+    sock.family = AF_INET
    firewall = Mock()
    firewall.pfile.readline.return_value = \
@ -94,7 +95,7 @@ def test_firewall_command_darwin(mock_pf_get_dev, mock_ioctl, mock_stdout):
    assert not method.firewall_command("somthing")
    command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
-        socket.AF_INET, socket.IPPROTO_TCP,
+        AF_INET, socket.IPPROTO_TCP,
        "127.0.0.1", 1025, "127.0.0.2", 1024)
    assert method.firewall_command(command)
@ -117,7 +118,7 @@ def test_firewall_command_freebsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
    assert not method.firewall_command("somthing")
    command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
-        socket.AF_INET, socket.IPPROTO_TCP,
+        AF_INET, socket.IPPROTO_TCP,
        "127.0.0.1", 1025, "127.0.0.2", 1024)
    assert method.firewall_command(command)
@ -140,7 +141,7 @@ def test_firewall_command_openbsd(mock_pf_get_dev, mock_ioctl, mock_stdout):
    assert not method.firewall_command("somthing")
    command = "QUERY_PF_NAT %d,%d,%s,%d,%s,%d\n" % (
-        socket.AF_INET, socket.IPPROTO_TCP,
+        AF_INET, socket.IPPROTO_TCP,
        "127.0.0.1", 1025, "127.0.0.2", 1024)
    assert method.firewall_command(command)
@ -180,11 +181,12 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    method.setup_firewall(
        1024, 1026,
-        [(10, u'2404:6800:4004:80c::33')],
+        [(AF_INET6, u'2404:6800:4004:80c::33')],
-        10,
+        AF_INET6,
-        [(10, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
+        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
-            (10, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
+            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
-        False)
+        False,
        None)
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
@ -199,14 +201,14 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
        call('-s all'),
        call('-a sshuttle6-1024 -f /dev/stdin',
             b'table <dns_servers> {2404:6800:4004:80c::33}\n'
-             b'rdr pass on lo0 inet6 proto tcp to '
+             b'rdr pass on lo0 inet6 proto tcp from ! ::1 to '
             b'2404:6800:4004:80c::/64 port 8000:9000 -> ::1 port 1024\n'
             b'rdr pass on lo0 inet6 proto udp '
             b'to <dns_servers> port 53 -> ::1 port 1026\n'
             b'pass out quick inet6 proto tcp to '
             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
             b'pass out route-to lo0 inet6 proto tcp to '
             b'2404:6800:4004:80c::/64 port 8000:9000 keep state\n'
             b'pass out inet6 proto tcp to '
             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
             b'pass out route-to lo0 inet6 proto udp '
             b'to <dns_servers> port 53 keep state\n'),
        call('-E'),
@ -218,11 +220,12 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    with pytest.raises(Exception) as excinfo:
        method.setup_firewall(
            1025, 1027,
-            [(2, u'1.2.3.33')],
+            [(AF_INET, u'1.2.3.33')],
-            2,
+            AF_INET,
-            [(2, 24, False, u'1.2.3.0', 0, 0),
+            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
-                (2, 32, True, u'1.2.3.66', 80, 80)],
+                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
-            True)
+            True,
            None)
    assert str(excinfo.value) == 'UDP not supported by pf method_name'
    assert mock_pf_get_dev.mock_calls == []
    assert mock_ioctl.mock_calls == []
@ -230,10 +233,12 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    method.setup_firewall(
        1025, 1027,
-        [(2, u'1.2.3.33')],
+        [(AF_INET, u'1.2.3.33')],
-        2,
+        AF_INET,
-        [(2, 24, False, u'1.2.3.0', 0, 0), (2, 32, True, u'1.2.3.66', 80, 80)],
+        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
-        False)
+            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
        False,
        None)
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCC20441A, ANY),
@ -248,12 +253,12 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
        call('-s all'),
        call('-a sshuttle-1025 -f /dev/stdin',
             b'table <dns_servers> {1.2.3.33}\n'
-             b'rdr pass on lo0 inet proto tcp to 1.2.3.0/24 '
+             b'rdr pass on lo0 inet proto tcp from ! 127.0.0.1 to 1.2.3.0/24 '
             b'-> 127.0.0.1 port 1025\n'
             b'rdr pass on lo0 inet proto udp '
             b'to <dns_servers> port 53 -> 127.0.0.1 port 1027\n'
             b'pass out quick inet proto tcp to 1.2.3.66/32 port 80:80\n'
             b'pass out route-to lo0 inet proto tcp to 1.2.3.0/24 keep state\n'
             b'pass out inet proto tcp to 1.2.3.66/32 port 80:80\n'
             b'pass out route-to lo0 inet proto udp '
             b'to <dns_servers> port 53 keep state\n'),
        call('-E'),
@ -262,7 +267,7 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    mock_ioctl.reset_mock()
    mock_pfctl.reset_mock()
-    method.restore_firewall(1025, 2, False)
+    method.restore_firewall(1025, AF_INET, False, None)
    assert mock_ioctl.mock_calls == []
    assert mock_pfctl.mock_calls == [
        call('-a sshuttle-1025 -F all'),
@ -275,10 +280,12 @@ def test_setup_firewall_darwin(mock_pf_get_dev, mock_ioctl, mock_pfctl):
@patch('sshuttle.helpers.verbose', new=3)
@patch('sshuttle.methods.pf.pf', FreeBsd())
@patch('subprocess.call')
@patch('sshuttle.methods.pf.pfctl')
@patch('sshuttle.methods.pf.ioctl')
@patch('sshuttle.methods.pf.pf_get_dev')
-def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
+def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl,
                                mock_subprocess_call):
    mock_pfctl.side_effect = pfctl
    method = get_method('pf')
@ -286,28 +293,30 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    method.setup_firewall(
        1024, 1026,
-        [(10, u'2404:6800:4004:80c::33')],
+        [(AF_INET6, u'2404:6800:4004:80c::33')],
-        10,
+        AF_INET6,
-        [(10, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
+        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
-            (10, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
+            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
-        False)
+        False,
        None)
    assert mock_pfctl.mock_calls == [
        call('-s all'),
        call('-a sshuttle6-1024 -f /dev/stdin',
             b'table <dns_servers> {2404:6800:4004:80c::33}\n'
-             b'rdr pass on lo0 inet6 proto tcp to 2404:6800:4004:80c::/64 '
+             b'rdr pass on lo0 inet6 proto tcp from ! ::1 to '
-             b'port 8000:9000 -> ::1 port 1024\n'
+             b'2404:6800:4004:80c::/64 port 8000:9000 -> ::1 port 1024\n'
             b'rdr pass on lo0 inet6 proto udp '
             b'to <dns_servers> port 53 -> ::1 port 1026\n'
             b'pass out quick inet6 proto tcp to '
             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
             b'pass out route-to lo0 inet6 proto tcp to '
             b'2404:6800:4004:80c::/64 port 8000:9000 keep state\n'
             b'pass out inet6 proto tcp to '
             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
             b'pass out route-to lo0 inet6 proto udp '
             b'to <dns_servers> port 53 keep state\n'),
        call('-e'),
    ]
    assert call(['kldload', 'pf']) in mock_subprocess_call.mock_calls
    mock_pf_get_dev.reset_mock()
    mock_ioctl.reset_mock()
    mock_pfctl.reset_mock()
@ -315,11 +324,12 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    with pytest.raises(Exception) as excinfo:
        method.setup_firewall(
            1025, 1027,
-            [(2, u'1.2.3.33')],
+            [(AF_INET, u'1.2.3.33')],
-            2,
+            AF_INET,
-            [(2, 24, False, u'1.2.3.0', 0, 0),
+            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
-                (2, 32, True, u'1.2.3.66', 80, 80)],
+                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
-            True)
+            True,
            None)
    assert str(excinfo.value) == 'UDP not supported by pf method_name'
    assert mock_pf_get_dev.mock_calls == []
    assert mock_ioctl.mock_calls == []
@ -327,10 +337,12 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    method.setup_firewall(
        1025, 1027,
-        [(2, u'1.2.3.33')],
+        [(AF_INET, u'1.2.3.33')],
-        2,
+        AF_INET,
-        [(2, 24, False, u'1.2.3.0', 0, 0), (2, 32, True, u'1.2.3.66', 80, 80)],
+        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
-        False)
+            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
        False,
        None)
    assert mock_ioctl.mock_calls == [
        call(mock_pf_get_dev(), 0xC4704433, ANY),
        call(mock_pf_get_dev(), 0xCBE0441A, ANY),
@ -343,12 +355,12 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
        call('-s all'),
        call('-a sshuttle-1025 -f /dev/stdin',
             b'table <dns_servers> {1.2.3.33}\n'
-             b'rdr pass on lo0 inet proto tcp to 1.2.3.0/24 -> '
+             b'rdr pass on lo0 inet proto tcp from ! 127.0.0.1 '
-             b'127.0.0.1 port 1025\n'
+             b'to 1.2.3.0/24 -> 127.0.0.1 port 1025\n'
             b'rdr pass on lo0 inet proto udp '
             b'to <dns_servers> port 53 -> 127.0.0.1 port 1027\n'
             b'pass out quick inet proto tcp to 1.2.3.66/32 port 80:80\n'
             b'pass out route-to lo0 inet proto tcp to 1.2.3.0/24 keep state\n'
             b'pass out inet proto tcp to 1.2.3.66/32 port 80:80\n'
             b'pass out route-to lo0 inet proto udp '
             b'to <dns_servers> port 53 keep state\n'),
        call('-e'),
@ -357,10 +369,12 @@ def test_setup_firewall_freebsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    mock_ioctl.reset_mock()
    mock_pfctl.reset_mock()
-    method.restore_firewall(1025, 2, False)
+    method.restore_firewall(1025, AF_INET, False, None)
    method.restore_firewall(1024, AF_INET6, False, None)
    assert mock_ioctl.mock_calls == []
    assert mock_pfctl.mock_calls == [
        call('-a sshuttle-1025 -F all'),
        call('-a sshuttle6-1024 -F all'),
        call("-d"),
    ]
    mock_pf_get_dev.reset_mock()
@ -381,15 +395,16 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    method.setup_firewall(
        1024, 1026,
-        [(10, u'2404:6800:4004:80c::33')],
+        [(AF_INET6, u'2404:6800:4004:80c::33')],
-        10,
+        AF_INET6,
-        [(10, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
+        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
-            (10, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
+            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
-        False)
+        False,
        None)
    assert mock_ioctl.mock_calls == [
-        call(mock_pf_get_dev(), 0xcd48441a, ANY),
+        call(mock_pf_get_dev(), 0xcd60441a, ANY),
-        call(mock_pf_get_dev(), 0xcd48441a, ANY),
+        call(mock_pf_get_dev(), 0xcd60441a, ANY),
    ]
    assert mock_pfctl.mock_calls == [
        call('-s Interfaces -i lo -v'),
@ -401,10 +416,10 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
             b'port 8000:9000 divert-to ::1 port 1024\n'
             b'pass in on lo0 inet6 proto udp '
             b'to <dns_servers> port 53 rdr-to ::1 port 1026\n'
             b'pass out quick inet6 proto tcp to '
             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
             b'pass out inet6 proto tcp to 2404:6800:4004:80c::/64 '
             b'port 8000:9000 route-to lo0 keep state\n'
             b'pass out inet6 proto tcp to '
             b'2404:6800:4004:80c::101f/128 port 8080:8080\n'
             b'pass out inet6 proto udp to '
             b'<dns_servers> port 53 route-to lo0 keep state\n'),
        call('-e'),
@ -412,15 +427,16 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    mock_pf_get_dev.reset_mock()
    mock_ioctl.reset_mock()
    mock_pfctl.reset_mock()
-    
+
    with pytest.raises(Exception) as excinfo:
        method.setup_firewall(
            1025, 1027,
-            [(2, u'1.2.3.33')],
+            [(AF_INET, u'1.2.3.33')],
-            2,
+            AF_INET,
-            [(2, 24, False, u'1.2.3.0', 0, 0),
+            [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
-                (2, 32, True, u'1.2.3.66', 80, 80)],
+                (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
-            True)
+            True,
            None)
    assert str(excinfo.value) == 'UDP not supported by pf method_name'
    assert mock_pf_get_dev.mock_calls == []
    assert mock_ioctl.mock_calls == []
@ -428,14 +444,15 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    method.setup_firewall(
        1025, 1027,
-        [(2, u'1.2.3.33')],
+        [(AF_INET, u'1.2.3.33')],
-        2,
+        AF_INET,
-        [(2, 24, False, u'1.2.3.0', 0, 0),
+        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
-            (2, 32, True, u'1.2.3.66', 80, 80)],
+            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
-        False)
+        False,
        None)
    assert mock_ioctl.mock_calls == [
-        call(mock_pf_get_dev(), 0xcd48441a, ANY),
+        call(mock_pf_get_dev(), 0xcd60441a, ANY),
-        call(mock_pf_get_dev(), 0xcd48441a, ANY),
+        call(mock_pf_get_dev(), 0xcd60441a, ANY),
    ]
    assert mock_pfctl.mock_calls == [
        call('-s Interfaces -i lo -v'),
@ -447,8 +464,8 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
             b'127.0.0.1 port 1025\n'
             b'pass in on lo0 inet proto udp to '
             b'<dns_servers> port 53 rdr-to 127.0.0.1 port 1027\n'
             b'pass out quick inet proto tcp to 1.2.3.66/32 port 80:80\n'
             b'pass out inet proto tcp to 1.2.3.0/24 route-to lo0 keep state\n'
             b'pass out inet proto tcp to 1.2.3.66/32 port 80:80\n'
             b'pass out inet proto udp to '
             b'<dns_servers> port 53 route-to lo0 keep state\n'),
        call('-e'),
@ -457,11 +474,13 @@ def test_setup_firewall_openbsd(mock_pf_get_dev, mock_ioctl, mock_pfctl):
    mock_ioctl.reset_mock()
    mock_pfctl.reset_mock()
-    method.restore_firewall(1025, 2, False)
+    method.restore_firewall(1025, AF_INET, False, None)
    method.restore_firewall(1024, AF_INET6, False, None)
    assert mock_ioctl.mock_calls == []
    assert mock_pfctl.mock_calls == [
        call('-a sshuttle-1025 -F all'),
-        call("-d"),
+        call('-a sshuttle6-1024 -F all'),
        call('-d'),
    ]
    mock_pf_get_dev.reset_mock()
    mock_pfctl.reset_mock()
--- a/sshuttle/tests/client/test_methods_tproxy.py
+++ b/sshuttle/tests/client/test_methods_tproxy.py
@ -1,3 +1,6 @@
 import socket
 from socket import AF_INET, AF_INET6
 from mock import Mock, patch, call
 from sshuttle.methods import get_method
@ -49,7 +52,7 @@ def test_send_udp(mock_socket):
    assert sock.mock_calls == []
    assert mock_socket.mock_calls == [
        call(sock.family, 2),
-        call().setsockopt(1, 2, 1),
+        call().setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1),
        call().setsockopt(0, 19, 1),
        call().bind('127.0.0.2'),
        call().sendto("2222222", '127.0.0.1'),
@ -100,71 +103,73 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
    method.setup_firewall(
        1024, 1026,
-        [(10, u'2404:6800:4004:80c::33')],
+        [(AF_INET6, u'2404:6800:4004:80c::33')],
-        10,
+        AF_INET6,
-        [(10, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
+        [(AF_INET6, 64, False, u'2404:6800:4004:80c::', 8000, 9000),
-            (10, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
+            (AF_INET6, 128, True, u'2404:6800:4004:80c::101f', 8080, 8080)],
-        True)
+        True,
        None)
    assert mock_ipt_chain_exists.mock_calls == [
-        call(10, 'mangle', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', 'sshuttle-m-1024'),
-        call(10, 'mangle', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', 'sshuttle-t-1024'),
-        call(10, 'mangle', 'sshuttle-d-1024')
+        call(AF_INET6, 'mangle', 'sshuttle-d-1024')
    ]
    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
-        call(10, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-X', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-X', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-d-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-d-1024'),
-        call(10, 'mangle', '-X', 'sshuttle-d-1024'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-d-1024'),
-        call(10, 'mangle', '-N', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-N', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-N', 'sshuttle-d-1024'),
+        call(AF_INET6, 'mangle', '-N', 'sshuttle-d-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-d-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-d-1024'),
-        call(10, 'mangle', '-N', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-N', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-F', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-t-1024'),
-        call(10, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1024'),
+        call(AF_INET6, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1024'),
-        call(10, 'mangle', '-I', 'PREROUTING', '1', '-j', 'sshuttle-t-1024'),
+        call(AF_INET6, 'mangle', '-I', 'PREROUTING', '1', '-j',
-        call(10, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'MARK',
+             'sshuttle-t-1024'),
        call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'MARK',
             '--set-mark', '1'),
-        call(10, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'ACCEPT'),
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-d-1024', '-j', 'ACCEPT'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
             '-j', 'sshuttle-d-1024', '-m', 'tcp', '-p', 'tcp'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-m', 'socket',
             '-j', 'sshuttle-d-1024', '-m', 'udp', '-p', 'udp'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
             '--tproxy-mark', '0x1/0x1',
             '--dest', u'2404:6800:4004:80c::33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1026'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
             '--dest', u'2404:6800:4004:80c::101f/128',
             '-m', 'tcp', '-p', 'tcp', '--dport', '8080:8080'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
             '--dest', u'2404:6800:4004:80c::101f/128',
             '-m', 'tcp', '-p', 'tcp', '--dport', '8080:8080'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'RETURN',
             '--dest', u'2404:6800:4004:80c::101f/128',
             '-m', 'udp', '-p', 'udp', '--dport', '8080:8080'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'RETURN',
             '--dest', u'2404:6800:4004:80c::101f/128',
             '-m', 'udp', '-p', 'udp', '--dport', '8080:8080'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::/64',
             '-m', 'tcp', '-p', 'tcp', '--dport', '8000:9000'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
             '--tproxy-mark', '0x1/0x1', '--dest', u'2404:6800:4004:80c::/64',
             '-m', 'tcp', '-p', 'tcp', '--dport', '8000:9000',
             '--on-port', '1024'),
-        call(10, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-m-1024', '-j', 'MARK',
             '--set-mark', '1', '--dest', u'2404:6800:4004:80c::/64',
-             '-m', 'udp', '-p', 'udp'),
+             '-m', 'udp', '-p', 'udp', '--dport', '8000:9000'),
-        call(10, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
+        call(AF_INET6, 'mangle', '-A', 'sshuttle-t-1024', '-j', 'TPROXY',
             '--tproxy-mark', '0x1/0x1', '--dest', u'2404:6800:4004:80c::/64',
             '-m', 'udp', '-p', 'udp', '--dport', '8000:9000',
             '--on-port', '1024')
@ -173,22 +178,22 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()
-    method.restore_firewall(1025, 10, True)
+    method.restore_firewall(1025, AF_INET6, True, None)
    assert mock_ipt_chain_exists.mock_calls == [
-        call(10, 'mangle', 'sshuttle-m-1025'),
+        call(AF_INET6, 'mangle', 'sshuttle-m-1025'),
-        call(10, 'mangle', 'sshuttle-t-1025'),
+        call(AF_INET6, 'mangle', 'sshuttle-t-1025'),
-        call(10, 'mangle', 'sshuttle-d-1025')
+        call(AF_INET6, 'mangle', 'sshuttle-d-1025')
    ]
    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
-        call(10, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
+        call(AF_INET6, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
-        call(10, 'mangle', '-F', 'sshuttle-m-1025'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-m-1025'),
-        call(10, 'mangle', '-X', 'sshuttle-m-1025'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-m-1025'),
-        call(10, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
+        call(AF_INET6, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
-        call(10, 'mangle', '-F', 'sshuttle-t-1025'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-t-1025'),
-        call(10, 'mangle', '-X', 'sshuttle-t-1025'),
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-t-1025'),
-        call(10, 'mangle', '-F', 'sshuttle-d-1025'),
+        call(AF_INET6, 'mangle', '-F', 'sshuttle-d-1025'),
-        call(10, 'mangle', '-X', 'sshuttle-d-1025')
+        call(AF_INET6, 'mangle', '-X', 'sshuttle-d-1025')
    ]
    mock_ipt_chain_exists.reset_mock()
    mock_ipt_ttl.reset_mock()
@ -198,68 +203,71 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
    method.setup_firewall(
        1025, 1027,
-        [(2, u'1.2.3.33')],
+        [(AF_INET, u'1.2.3.33')],
-        2,
+        AF_INET,
-        [(2, 24, False, u'1.2.3.0', 0, 0), (2, 32, True, u'1.2.3.66', 80, 80)],
+        [(AF_INET, 24, False, u'1.2.3.0', 0, 0),
-        True)
+            (AF_INET, 32, True, u'1.2.3.66', 80, 80)],
        True,
        None)
    assert mock_ipt_chain_exists.mock_calls == [
-        call(2, 'mangle', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', 'sshuttle-m-1025'),
-        call(2, 'mangle', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', 'sshuttle-t-1025'),
-        call(2, 'mangle', 'sshuttle-d-1025')
+        call(AF_INET, 'mangle', 'sshuttle-d-1025')
    ]
    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
-        call(2, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-N', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-N', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-N', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-N', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-N', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-N', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-I', 'OUTPUT', '1', '-j', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-I', 'PREROUTING', '1', '-j', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-I', 'PREROUTING', '1', '-j',
-        call(2, 'mangle', '-A', 'sshuttle-d-1025',
+             'sshuttle-t-1025'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025',
             '-j', 'MARK', '--set-mark', '1'),
-        call(2, 'mangle', '-A', 'sshuttle-d-1025', '-j', 'ACCEPT'),
+        call(AF_INET, 'mangle', '-A', 'sshuttle-d-1025', '-j', 'ACCEPT'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
             '-j', 'sshuttle-d-1025', '-m', 'tcp', '-p', 'tcp'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-m', 'socket',
             '-j', 'sshuttle-d-1025', '-m', 'udp', '-p', 'udp'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
             '--set-mark', '1', '--dest', u'1.2.3.33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.33/32',
             '-m', 'udp', '-p', 'udp', '--dport', '53', '--on-port', '1027'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
             '--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp', 
             '--dport', '80:80'),
        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
             '--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp',
             '--dport', '80:80'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
             '--dest', u'1.2.3.66/32', '-m', 'tcp', '-p', 'tcp',
             '--dport', '80:80'),
        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'RETURN',
             '--dest', u'1.2.3.66/32', '-m', 'udp', '-p', 'udp',
             '--dport', '80:80'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'RETURN',
             '--dest', u'1.2.3.66/32', '-m', 'udp', '-p', 'udp',
             '--dport', '80:80'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
             '--set-mark', '1', '--dest', u'1.2.3.0/24',
             '-m', 'tcp', '-p', 'tcp'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.0/24',
             '-m', 'tcp', '-p', 'tcp', '--on-port', '1025'),
-        call(2, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-m-1025', '-j', 'MARK',
             '--set-mark', '1', '--dest', u'1.2.3.0/24',
             '-m', 'udp', '-p', 'udp'),
-        call(2, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
+        call(AF_INET, 'mangle', '-A', 'sshuttle-t-1025', '-j', 'TPROXY',
             '--tproxy-mark', '0x1/0x1', '--dest', u'1.2.3.0/24',
             '-m', 'udp', '-p', 'udp', '--on-port', '1025')
    ]
@ -267,22 +275,22 @@ def test_setup_firewall(mock_ipt_chain_exists, mock_ipt_ttl, mock_ipt):
    mock_ipt_ttl.reset_mock()
    mock_ipt.reset_mock()
-    method.restore_firewall(1025, 2, True)
+    method.restore_firewall(1025, AF_INET, True, None)
    assert mock_ipt_chain_exists.mock_calls == [
-        call(2, 'mangle', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', 'sshuttle-m-1025'),
-        call(2, 'mangle', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', 'sshuttle-t-1025'),
-        call(2, 'mangle', 'sshuttle-d-1025')
+        call(AF_INET, 'mangle', 'sshuttle-d-1025')
    ]
    assert mock_ipt_ttl.mock_calls == []
    assert mock_ipt.mock_calls == [
-        call(2, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-D', 'OUTPUT', '-j', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-m-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-m-1025'),
-        call(2, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-D', 'PREROUTING', '-j', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-t-1025'),
+        call(AF_INET, 'mangle', '-X', 'sshuttle-t-1025'),
-        call(2, 'mangle', '-F', 'sshuttle-d-1025'),
+        call(AF_INET, 'mangle', '-F', 'sshuttle-d-1025'),
-        call(2, 'mangle', '-X', 'sshuttle-d-1025')
+        call(AF_INET, 'mangle', '-X', 'sshuttle-d-1025')
    ]
    mock_ipt_chain_exists.reset_mock()
    mock_ipt_ttl.reset_mock()
--- a/sshuttle/tests/client/test_options.py
+++ b/sshuttle/tests/client/test_options.py
@ -1,8 +1,10 @@
 import socket
 import pytest
 import sshuttle.options
 from argparse import ArgumentTypeError as Fatal
 import pytest
 import sshuttle.options
 _ip4_reprs = {
        '0.0.0.0': '0.0.0.0',
        '255.255.255.255': '255.255.255.255',
@ -25,6 +27,7 @@ _ip6_reprs = {
 _ip6_swidths = (48, 64, 96, 115, 128)
 def test_parse_subnetport_ip4():
    for ip_repr, ip in _ip4_reprs.items():
        assert sshuttle.options.parse_subnetport(ip_repr) \
@ -41,7 +44,7 @@ def test_parse_subnetport_ip4_with_mask():
                    '/'.join((ip_repr, str(swidth)))
                    ) == (socket.AF_INET, ip, swidth, 0, 0)
    assert sshuttle.options.parse_subnetport('0/0') \
-            == (socket.AF_INET, '0.0.0.0', 0, 0, 0)
+        == (socket.AF_INET, '0.0.0.0', 0, 0, 0)
    with pytest.raises(Fatal) as excinfo:
        sshuttle.options.parse_subnetport('10.0.0.0/33')
    assert str(excinfo.value) == 'width 33 is not between 0 and 32'
@ -50,26 +53,23 @@ def test_parse_subnetport_ip4_with_mask():
 def test_parse_subnetport_ip4_with_port():
    for ip_repr, ip in _ip4_reprs.items():
        assert sshuttle.options.parse_subnetport(':'.join((ip_repr, '80'))) \
-                == (socket.AF_INET, ip, 32, 80, 80)
+            == (socket.AF_INET, ip, 32, 80, 80)
-        assert sshuttle.options.parse_subnetport(':'.join((ip_repr, '80-90'))) \
+        assert sshuttle.options.parse_subnetport(':'.join((ip_repr, '80-90')))\
-                == (socket.AF_INET, ip, 32, 80, 90)
+            == (socket.AF_INET, ip, 32, 80, 90)
 def test_parse_subnetport_ip4_with_mask_and_port():
    for ip_repr, ip in _ip4_reprs.items():
        assert sshuttle.options.parse_subnetport(ip_repr + '/32:80') \
-                == (socket.AF_INET, ip, 32, 80, 80)
+            == (socket.AF_INET, ip, 32, 80, 80)
        assert sshuttle.options.parse_subnetport(ip_repr + '/16:80-90') \
-                == (socket.AF_INET, ip, 16, 80, 90)
+            == (socket.AF_INET, ip, 16, 80, 90)
 def test_parse_subnetport_ip6():
    for ip_repr, ip in _ip6_reprs.items():
        assert sshuttle.options.parse_subnetport(ip_repr) \
                == (socket.AF_INET6, ip, 128, 0, 0)
    with pytest.raises(Fatal) as excinfo:
        sshuttle.options.parse_subnetport('2001::1::3f')
    assert str(excinfo.value) == 'Unable to resolve address: 2001::1::3f'
 def test_parse_subnetport_ip6_with_mask():
@ -79,7 +79,7 @@ def test_parse_subnetport_ip6_with_mask():
                    '/'.join((ip_repr, str(swidth)))
                    ) == (socket.AF_INET6, ip, swidth, 0, 0)
    assert sshuttle.options.parse_subnetport('::/0') \
-            == (socket.AF_INET6, '::', 0, 0, 0)
+        == (socket.AF_INET6, '::', 0, 0, 0)
    with pytest.raises(Fatal) as excinfo:
        sshuttle.options.parse_subnetport('fc00::/129')
    assert str(excinfo.value) == 'width 129 is not between 0 and 128'
@ -88,14 +88,14 @@ def test_parse_subnetport_ip6_with_mask():
 def test_parse_subnetport_ip6_with_port():
    for ip_repr, ip in _ip6_reprs.items():
        assert sshuttle.options.parse_subnetport('[' + ip_repr + ']:80') \
-                == (socket.AF_INET6, ip, 128, 80, 80)
+            == (socket.AF_INET6, ip, 128, 80, 80)
        assert sshuttle.options.parse_subnetport('[' + ip_repr + ']:80-90') \
-                == (socket.AF_INET6, ip, 128, 80, 90)
+            == (socket.AF_INET6, ip, 128, 80, 90)
 def test_parse_subnetport_ip6_with_mask_and_port():
    for ip_repr, ip in _ip6_reprs.items():
        assert sshuttle.options.parse_subnetport('[' + ip_repr + '/128]:80') \
-                == (socket.AF_INET6, ip, 128, 80, 80)
+            == (socket.AF_INET6, ip, 128, 80, 80)
-        assert sshuttle.options.parse_subnetport('[' + ip_repr + '/16]:80-90') \
+        assert sshuttle.options.parse_subnetport('[' + ip_repr + '/16]:80-90')\
-                == (socket.AF_INET6, ip, 16, 80, 90)
+            == (socket.AF_INET6, ip, 16, 80, 90)
--- a/sshuttle/tests/client/test_sdnotify.py
+++ b/sshuttle/tests/client/test_sdnotify.py
@ -1,8 +1,7 @@
 from mock import Mock, patch, call
 import sys
 import io
 import socket
 from mock import Mock, patch, call
 import sshuttle.sdnotify
@ -59,7 +58,7 @@ def test_notify(mock_get, mock_socket):
    sock.sendto.return_value = 1
    mock_get.return_value = '/run/valid_path'
    mock_socket.return_value = sock
-    
+
    assert sshuttle.sdnotify.send(*messages)
    assert sock.sendto.mock_calls == [
        call(b'\n'.join(messages), socket_path),
--- a/sshuttle/tests/server/test_server.py
+++ b/sshuttle/tests/server/test_server.py
@ -1,8 +1,9 @@
 import os
 import io
 import socket
 from mock import patch, Mock
 import sshuttle.server
 from mock import patch, Mock, call
 def test__ipmatch():
@ -46,7 +47,7 @@ Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
 def test_listroutes_iproute(mock_popen, mock_which):
    mock_pobj = Mock()
    mock_pobj.stdout = io.BytesIO(b"""
-default via 192.168.1.1 dev wlan0  proto static 
+default via 192.168.1.1 dev wlan0  proto static
 192.168.1.0/24 dev wlan0  proto kernel  scope link  src 192.168.1.1
 """)
    mock_pobj.wait.return_value = 0
--- a/tests/ssh/test_parse_hostport.py
+++ b/tests/ssh/test_parse_hostport.py
@ -0,0 +1,20 @@
 from sshuttle.ssh import parse_hostport
 def test_host_only():
    assert parse_hostport("host") == (None, None, None, "host")
    assert parse_hostport("1.2.3.4") == (None, None, None, "1.2.3.4")
    assert parse_hostport("2001::1") == (None, None, None, "2001::1")
    assert parse_hostport("[2001::1]") == (None, None, None, "2001::1")
 def test_host_and_port():
    assert parse_hostport("host:22") == (None, None, 22, "host")
    assert parse_hostport("1.2.3.4:22") == (None, None, 22, "1.2.3.4")
    assert parse_hostport("[2001::1]:22") == (None, None, 22, "2001::1")
 def test_username_and_host():
    assert parse_hostport("user@host") == ("user", None, None, "host")
    assert parse_hostport("user:@host") == ("user", None, None, "host")
    assert parse_hostport("user:pass@host") == ("user", "pass", None, "host")
--- a/tox.ini
+++ b/tox.ini
@ -1,20 +1,22 @@
 [tox]
 downloadcache = {toxworkdir}/cache/
 envlist =
    py26,
    py27,
    py34,
    py35,
    py36,
    py37,
    py38,
 [testenv]
 basepython =
-    py26: python2.6
+    py36: python3.6
-    py27: python2.7
+    py37: python3.7
-    py34: python3.4
+    py38: python3.8
    py35: python3.5
 commands =
-    py.test
+    pip install -e .
-deps =
+    # actual flake8 test
    flake8 sshuttle tests
    # flake8 complexity warnings
    flake8 sshuttle tests --exit-zero --max-complexity=10
    pytest
-    mock
+deps =
-    setuptools>=17.1
+    -rrequirements-tests.txt